Informatica

At Informatica we take the security of your information seriously. If you believe you've detected a vulnerability within our products, including their AI features, or experienced unexpected or abnormal responses or outputs, we'd like you to tell us about it via our Responsible Disclosure Program.

If you believe you have discovered a vulnerability or other abnormality or have a security incident to report, please submit a bug report and someone will contact you in a timely manner. Please include a detailed summary of the issue you discovered so that we can attempt to reproduce it and assess its severity and impact.

To be eligible for recognition, you must:

• Be the first person to responsibly disclose the bug.
• Report a bug that could compromise our users' private data, circumvent the system's protections, or enable access to a system within our infrastructure.

Types of Recognition:

• Post on our Hall of Fame

##Qualifying Properties:

• Any other domains and IP addresses owned by/operated by Informatica

Qualifying Vulnerabilities:

In general, any implementation issue that is reproducible and significantly affects the security of Informatica customers is likely in scope for this program. Typical types of issues include:

• Cross-site Scripting (XSS) • Cross-site Request Forgery • Server-Side Request Forgery (SSRF) • SQL Injection • Server-side Remote Code Execution (RCE) • XML External Entity Attacks (XXE) • Access Control Issues (Insecure Direct Object Reference issues, etc) • Exposed Administrative Panels that don't require login credentials • Directory Traversal Issues • Local File Disclosure (LFD) • Broken Authentication or authorization issues • Broken cryptographic implementation w/ working exploit • Circumvention of our framework's privacy and permission models • Information leaks associated to Informatica data (say, github repo leaks)

Non-Qualifying Vulnerabilities will be closed as Not Applicable:

The following issues are outside the scope of our recognition program:

• Best practices concerns • Vulnerabilities affecting users of outdated or unsupported browsers or platforms • Self-XSS that cannot be used to exploit other users • Reports from automated tools or scans • Denial of Service Attacks • Host Header Injection • Reflected File Download (RFD) • Username Enumeration • Physical or social engineering attempts (this includes phishing attacks against Informatica employees) • Content injection issues • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.) • Missing autocomplete attributes • Missing cookie flags • Issues which require physical access to a victim’s computer • Missing security headers which do not present an immediate security vulnerability • SSL/TLS scan reports (this means output from sites such as SSL Labs) • Banner grabbing issues (figuring out what web server we use, etc) • Open ports without an accompanying proof-of-concept demonstrating vulnerability • Open Redirect Vulnerabilities • Publicly accessible login panels • Recently disclosed 0day vulnerabilities - please give us two weeks before reporting these types of issues. • identification of Informatica data in OSINT sources in absence of a working exploit (i.e shadowserver, rbl, etc). • Email/SMS flooding attacks • Issues related to software or protocols not under Informatica control • Physical attempts against Informatica personnel, property or data centers • Clickjacking and the issues exploited only by clickjacking

Any vulnerability reported for a particular domain cannot be reported as a new vulnerability for its associated domains. (say, if an vulnerability is reported for .com the same issue cannot be reported for test.com or uat.com or any similar ones).

Rules of Engagement:

Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other Informatica users (denial of service), exploiting any unexpected or inaccurate output or abnormality of an AI feature, or sending reports from automated tools. If classified, personal, or other non-public information is accessed, finders agree not to use or disclose the information for any purpose and to delete it promptly.

Informatica reserves the right to assess each bug to determine if it qualifies.

Informatica makes every reasonable effort to protect the information in our care from loss, misuse, alteration or destruction. Only authorized employees and clients have access to the data that we gather and that access is limited by need. All employees who have access to client data are enjoined to maintain the confidentiality of such information. No method of transmission over the Internet or method of electronic storage is 100% secure; therefore, while we strive to use all commercially reasonable means to protect client information, that cannot guarantee absolute security. Informatica does not guarantee the accuracy, completeness or reliability of any information or output provided by its products, including their AI features. Informatica makes every reasonable effort to test and identify abnormalities or unexpected results from its products.