The SAP Product Security Response Team thanks all researchers and security IT professionals that helped with discovering and solving security vulnerabilities. Their findings have helped SAP to maintain the security and safety of its customers' and partners' SAP systems.
Our acknowledgements page lists those professionals we have worked with successfully in the past. The acknowledgements are published on a monthly basis and mention all security researchers who helped to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines. We thank all security researchers for their excellent work and hope to continue the fruitful relationship between security professionals and SAP.
Archive
Here you can find elder entries.
May 2013
CBACert, Commonwealth Bank of Australia,Jonathan Brossard, SAP Security Note 1791238
CBACert, Commonwealth Bank of Australia,Jonathan Brossard, SAP Security Note 1791490
ERPScan, Georgy Nosenko, SAP Security Note 1820666
ERPSecurity, Joris van de Vis, SAP Security Note 1729638
ERPSecurity, Joris van de Vis, SAP Security Note 1810809
ESNC, Ertunga Arsal, SAP Security Note1787455
ESNC, Ertunga Arsal, SAP Security Note1837030
ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1839758
Matthew Phillips, SAP Security Note1840970
Onapsis , Jordan Santarsieri, SAP SecurityNote 1829584
Positive Technologies,Pavel Toporkov, SAP Security Note 1779578
Virtual Forge,Stefan Vogel, Frederik Weidemann, SAP Security Note1718145
April 2013
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1827217
Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note 1757472INTEGRITY S.A., Bruno Morisson, SAP Security Note1816536
March 2013
ESNC, Ertunga Arsal, SAP Security Note1771567
ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1813734
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1789823
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1786822
Virtual Forge, Andreas Wiegenstein and Xu Jia, SAP Security Note 1806435
ERPScan, Alexander Polyakov, SAP Security Note 1784894
ERPScan, Alexander Polyakov, SAP Security Note 1789611
ERPScan, Nikolay Mescherin, SAP Security Note 1807196
ERPScan, Alexander Polyakov, SAP Security Note 1685106
Onapsis , Nahuel D. Sánchez, SAP SecurityNote 1789611
Positive Technologies,Arseny Reutov, SAP Security Note 1820894
February 2013
Core Security Consulting Services,Martin Gallo and Francisco Falcon, SAP Security Note 1800603
ERPScan, Dmitry Chastuhin, SAP Security Note 1757675
ERPScan, Nikolay Mescherin, SAP Security Note 1446476
ERPSecurity,Joris van de Vis, SAP Security Note 1796264
ESNC, Ertunga Arsal, SAP Security Note1750997
ESNC, Ertunga Arsal, SAP Security Note1777228
ESNC, Ertunga Arsal, SAP Security Note 1788426
ESNC, Ertunga Arsal, SAP Security Note1791089
ESNC, Ertunga Arsal, SAP Security Note1792354
ESNC, Ertunga Arsal, SAP Security Note1795948
MWR Labs, andContext IS,Dave Hartley, SAP Security Note1764994
Onapsis , Nahuel D. Sánchez, SAP SecurityNote 1757675
Virtual Forge, Frederik Weidemann, SAP Security Note 1750997
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1788614
Virtual Forge, Xu Jia, Andreas Wiegenstein, Frederik Weidemann and Markus Schumacher, SAP Security Note 1819543
January 2013
Compass Security AG,Axel Neumann, SAP Security Note 1784770
ERPScan, Alexey Tuyrin and Dmitry Chastuhin, SAP Security Note 1412864
ERPScan, Dmitry Chastuhin, SAP Security Note 1628537
ERPScan, Dmitry Chastuhin, SAP Security Note 1729293
ERPScan, Dmitry Chastuhin, SAP Security Note 1725390
ERPSecurity, Joris van de Vis, SAP Security Note 1674132
ERPSecurity, Joris van de Vis, SAP Security Note 1794299
ESNC, Ertunga Arsal, SAP Security Note1674132
ESNC, Ertunga Arsal, SAP Security Note1779317
ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1673016
ESNC, Ertunga Arsal, SAP Security Note1776984
Finnish Communications Regulatory Authority (FICORA), Jussi, SAP Security Note1731362
Onapsis , Juan Pablo Perez Etchegoyen, SAP SecurityNote 1755108
Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1772208
Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1785747
Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1775422
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1784654
December 2012
ERPSecurity, Joris van de Vis, SAP Security Note 1771020
ERPSecurity, Joris van de Vis, SAP Security Note 1769099
ERPSecurity, Joris van de Vis, SAP Security Note 1773758
ERPSecurity, Joris van de Vis, SAP Security Note 1714607
ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1776695
ESNC, Ertunga Arsal, SAP Security Note1772498
ESNC, Ertunga Arsal, SAP Security Note1774903
ESNC, Ertunga Arsal and Anja Meiser, SAP Security Note1771204
Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1774903
November 2012
CIBER, Martin Voros, SAP Security Note, SAP Security Note 1597598
ERPScan, Alexey Tuyrin, SAP Security Note1715040
ERPScan, Alexey Tuyrin, SAP Security Note 1734986
ERPScan, Dmitry Chastuhin, SAP Security Note1679897
ERPSecurity, Joris van de Vis, SAP Security Note 1673713
ERPSecurity, Joris van de Vis, SAP Security Note 1652271
Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1774568
Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1758450
Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1682613
Virtual Forge, Frederik Weidemann, SAP Security Note 1652271
Virtual Forge, Xu Jia, SAP Security Note 1686172
Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1768068
October 2012
ERPScan, Alexandr Polyakov, SAP Security Note1724516
September 2012
Virtual Forge, Gert Kremser, SAP Security Note 1678732
ERPScan, Alexey Tuyrin, SAP Security Note1621534
ERPSecurity, Joris van de Vis, SAP Security Note 1668224
ESNC, Ertunga Arsal, SAP Security Note 1668224
August 2012
Virtual Forge, Sebastian Schinzel, SAP Security Note 1687334
Virtual Forge, Sebastian Schinzel, SAP Security Note 1684632
Virtual Forge, Gert Kremser, SAP Security Note 1692988
Ruhr-Universität Bochum, Juraj Somorovsky,Tibor Jager, SAP Security Note 1687334
Ruhr-Universität Bochum, Juraj Somorovsky,Tibor Jager, SAP Security Note 1684632
ERPSecurity, Joris van de Vis, SAP Security Note 1727914
ERPSecurity, Joris van de Vis, SAP Security Note 1718613
ERPScan, Alexey Tuyrin, SAP Security Note 1728500
ERPScan, Alexander Polyakov, SAP Security Note 1669031
Positive Technologies,Ilya Smith, Maxim Tsoy, Kirill Mosolov, Evgeny Ryzhov, SAP Security Note 1663732
July 2012
ERPScan, Dmitry Chastuhin, SAP Security Note 1721309
ERPScan, Alexander Polyakov, Alexey Tuyrin, Alexandr Minojenko, SAP Security Note 1723641
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1686842
Virtual Forge, Andreas Wiegenstein & Frederik Weidemann, SAP Security Note 1720994
sec-1, Richard Jones, SAP Security Note 1723641
June 2012
ESNC, Ertunga Arsal, SAP Security Note 1691744
ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1537089
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1695286
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1683644
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1684539
Virtual Forge, Frederik Weidemann & Markus Seibel (GM IT Business Service), SAP Security Note 1638779
ERPScan, Alexander Polyakov, Alexey Tuyrin, Alexandr Minojenko, SAP Security Note 1707494
ERPScan, Dmitry Chastuhin, SAP Security Note 1705800
CIBER, Martin Voros, SAP Security Note 1599567
akquinet AG, Ralf Kempf, SAP Security Note 1537089
May 2012
Compass Security AG,Alexandre Herzog, 1626152
Positive Technologies,Vladimir Zarichny, 1687910
Affinion International, Sherif Mansour, SAP SecurityNote 1615019
ERPScan, Dmitry Chastuhin, SAP Security Note 1590866
ERPScan,, Alexey Tuyrin, SAP Security Note 1597066
ERPScan,, Alexey Tuyrin, SAP Security Note 1614834
ERPScan,, Dmitry Chastuhin, SAP Security Note 1675605
Zero Day Initiative, SAP Security Note 1685003
Zero Day Initiative, SAP Security Note 1662272
ERPSecurity, Joris van de Vis, SAP Security Note 1675533
ERPSecurity, Joris van de Vis, SAP Security Note 1682505
Core Security Consulting Services,Martin Gallo, 1687910
Context Information Security Ltd ,Michael Jordon, Security Note 1341333
April 2012
Xiting AG, Julius von dem Bussche, SAP SecurityNote 1647225
Affinion International, Sherif Mansour, SAP SecurityNote 1652803
CIBER, Martin Voros, SAP SecurityNote 1657200
akquinet AG, Ralf Kempf, SAP Security Note 1590651
iDefense Labs, an anonymous researcher working with VeriSign iDefense Labs,
Sybase PatchesEBF 20065, EBF 20066, EBF 20067, EBF 20068, EBF 20069 and EBF20070
March 2012
Virtual Forge, Andreas Wiegenstein, Frederik Weidemann & Sandra Möckel, SAP SecurityNote 1607850
Virtual Forge, Andreas Wiegenstein & Peter Werner, SAP SecurityNote 1580244
ERPScan, Dmitry Chastuhin, SAP SecurityNote 1656549
ERPScan, Alexey Tuyrin, SAP SecurityNote 1657891
CIBER, Martin Voros, SAP SecurityNote 1591427
Onapsi , Mariano Nunez Di Croce, SAP SecurityNote 1658947
Xiting AG, Julius von dem Bussche, SAP SecurityNote 1600755
February 2012
Virtual Forge, Sebastian Schinzel & Frederik Weidemann, SAP Security Note 1586410
Virtual Forge, Andreas Wiegenstein & Frederik Weidemann, SAP Security Note 1584930
Virtual Forge, Erich Prosche & Sandra M�ckel, SAP Security Note 1607529
Virtual Forge, Andreas Wiegenstein & Sven Neuz, SAP Security Note 1597597
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1661349
ERPSecurity, Joris van de Vis, SAP Security Note 1641329
ERPSecurity, Joris van de Vis, SAP Security Note 1644746
Zero Day Initiative, SAP Security Note 1649838
Zero Day Initiative, SAP Security Note 1649840
ESNC, Ertunga Arsal, SAP Security Note 1667805
akquinet AG, Ralf Kempf, SAP Security Note 1644043
January 2012
ERPScan, Alexey Sintsov, SAP Security Note 1619539
Virtual Forge, Andreas Wiegenstein & Peter Werner, SAP Security Note 1613621
Dezember 2011
ERPScan, Alexandr Polyakov, SAP Security Note 1568003
ERPScan, Alexey Tyurin, SAP Security Note 1594475
ERPScan, Dmitry Chastuhin, SAP Security Notes 1630293, 1584030, 1647871
Daimler TSS GmbH, Stefan Does, SAP Security Note 1647871
National Australia Bank, nabCERT Security Assurance, SAP Security Note 1583982
Virtual Forge, Markus Schumacher, SAP Security Note 1597391
Virtual Forge, Andreas Wiegenstein & Agnes Six, SAP Security Note 1576763
November 2011
ERPScan, Dmitriy Chastuchin, SAP Security Notes 1583300 , 1585527
ERPScan, Alexey Tuyrin, SAP Security Note 1595074
Virtual Forge, Andreas Wiegenstein, Gert Kremser, Sandra Moeckel, SAP Security Note 1595074
akquinet AG, Ralf Kempf, SAP Security Note 1605054
CIBER, Martin Voros, SAP Security Notes 1632020 ,1631458 , 1631460
Context Information Security Ltd , Nico Leidecker, SAP Security Note 1638811
Onapsis, Jordan Santarsieri, SAP Security Note 1589716
Xiting AG, Julius von dem Bussche, SAP Security Note 1616366
October 2011
ERPSecurity,Joris van de Vis, SAP Security Note 1577513
Virtual Forge, Andreas Wiegenstein, Xu Jia, SAP Security Note 1606808
Virtual Forge, Andreas Wiegenstein, Markus Schumacher, Sebastian Schinzel, SAP Security Note 1577513
ESNC GmbH, Ertunga Arsal, SAP Security Note 1577513
IBM, Dr. Emin Tatli, SAP Security Note 1567387
KPMG, Huynh Thien Tam, SAP Security Note 1567387
ERPScan, Dmitriy Evdokimov, SAP Security Note 1585652
VeriSign iDefense Labs, Abdul Aziz Hariri, Sybase Note 1095200
SAP Disclosure Guidelines
SAP takes the security of its products very seriously, with a comprehensive software development lifecycle process, clear quality and security standards for software development and a dedicated Product Security Response process in place as the most visible evidences of its commitment. The SAP Product Security Response team is responsible for investigating all reported security vulnerabilities, working closely with reporters of vulnerabilities and SAP product development to provide patches, and informing customers about the patches and their importance. Since the integrity and security of business operations is crucial for businesses in all industries, SAP as a provider of business software is absolutely committed to maintaining the highest possible level of security within its products.
Reporting Security Vulnerabilities
As an integral part of our continuous improvement process, we are very interested in reports on possible security vulnerabilities. However, to ensure a professional and efficient process, we ask all security researchers to adhere to the following guidelines when reporting potential security vulnerabilities.
Report the vulnerability to SAP
When you have detected a vulnerability in one of our software products – either in the latest or in a former product version – please inform us about the issue.
- Our Product Security Response team is standing by to work with you closely to discuss the vulnerability.
- A member of our team will get in touch with you shortly after receiving your message – either by e-mail or, if you wish, by telephone.
- SAP customers who want to report a vulnerability should create a customer ticket in the corresponding support system.
- All other reporters should send an email to secure@sap.com . When reporting a vulnerability to SAP, please use PGP for e-mail encryption. Get our public PGP key here .
Please give SAP sufficient time to develop suitable fixes
- Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to our customers.
- As a vendor of business software we provide security fixes not only to the latest version but also for many older versions of our software products. This means that we need to develop and thoroughly test feasible patches for a broad range of product versions, which can take time.
Please do not publicize vulnerabilities until SAP customers have had time to deploy fixes
- The deployment of patches for SAP enterprise systems is usually more complicated than a software upgrade on a consumer PC. Depending on the nature of the vulnerability, the deployment of patches often is not only done by an automated update; in some cases it requires manual configuration work in the system.
- Some of our customers also have regular patching cycles, for instance on a monthly or a quarterly basis.
- In light of these circumstances, we ask all security researchers to give SAP customers sufficient time to implement patches in their SAP systems. As a rule of thumb, we suggest respecting an implementation time of three months. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.
Legal information - terms and conditions
By submitting information about security threats and/or solution proposals (hereinafter together referred to as "Feedback") to SAP:
- You commit yourself to the principle expressed in this guideline to avoid any harm to SAP users and you therefore agree not to publicize information about threats and vulnerabilities of the SAP software before a fix and/or patch has been made available by SAP; AND
- You agree that SAP may use such Feedback to update and/or improve its software; and you grant to SAP a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to SAP's licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose such Feedback in any manner SAP chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of SAP's and its sublicensee's products or services embodying Feedback in any manner and via any media SAP chooses, without reference to the source. SAP shall be entitled to use Feedback for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives; AND
- You further agree that SAP may decide, in its sole discretion, to list your name and other personal information that you may provide for this purpose on the Acknowledgements page, unless you express to SAP your desire not to be mentioned. You may request at any time that your name and other personal information is deleted from the Acknowledgements page.