The SAP Product Security Response Team thanks all researchers and security IT professionals that help with discovering and solving security vulnerabilities. Their findings continuously help SAP maintain the security and safety of its customers' and partners' SAP systems.
Our acknowledgements page lists those professionals we have worked with successfully in the past. We thank all security researchers for their excellent work and hope to continue the beneficial relationship between security professionals and SAP.
Security researchers who have helped SAP to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines this month are:
October 2015
ERPScan, Mathieu GELI
Center for Computing Technologies at the Universität Bremen (TZI),Karsten Sohr
Mehmet Nurcan
Onapsis, Alejandro Gabriel Burzyn, Fernando Russ, Jordan Santarsieri, Juan Perez-Etchegoyen, Nahuel D. Sánchez, Pablo Artuso, Pabio Muller, Sergio Abraham
Pavan Paidy
Tayyab Qadir
ZDI Disclosures, Steven Seeley
Each Patch Day (second Tuesday of a month) the involved external researchers are listed with company name, link to their home page, and name of the person. Details about finding are not included. The order of the list is alphabetical according to company name.
For previous months' acknowledgments, visit theacknowledgments archivepage.
To view the security notes released this Patch Day, visit theSupport Portal.
SAP encourages the responsible disclosure of security vulnerabilities and therefore requests the researchers to follow the following general guidelines:
- If you have detected a vulnerability in one of our software products – either in the latest or in a former product version –you shall inform us about the issue and follow the guidelines and processes in accordance with our Portal page “Report a Security Vulnerability to SAP”.
- Give SAP sufficient time to develop suitable fixes.
- Do not publicize vulnerabilities until SAP customers have had enough time to deploy fixes.
- As a rule of thumb, we suggest respecting an implementation time of three months. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.
- Provide us all of your external disclosures beforehand, such as advisories or presentations with SAP product security content for a review.
We honestly appreciate your work and certainly want to show this appreciation through credits on a public Web site. Nevertheless, SAP reserves the right to change or delete credits at any time.
For further information, read theDisclosure Guidelinesfor SAP Security Advisories.