OutSystems
OutSystems combines a low-code foundation with AI-driven software development to deliver enterprise apps and custom agents with full SDLC governance.
External Program
Submit bugs directly to this organization
OutSystems
OutSystems combines a low-code foundation with AI-driven software development to deliver enterprise apps and custom agents with full SDLC governance.
External Program
Submit bugs directly to this organization
This policy was created to provide our customers guidance and information in the event of a vulnerability reported in an OutSystems product. It's essential to ensure that our customers have a consistent and unambiguous resource to understand how OutSystems responds to events of this nature.
OutSystems Product Security Incident Response Team (PSIRT) investigates all reports regardless of the OutSystems software code version or product lifecycle status until the product reaches the end of mainstream support.
Issues will be prioritized based on the risk score and severity. The resolution of a reported vulnerability may require installing new software versions of products that are under active support from OutSystems. As a best practice, OutSystems strongly recommends that customers periodically verify if their products are under mainstream support to ensure access to the latest software updates.
During any investigation, the OutSystems PSIRT manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need-to-know and can actively assist in the resolution.
Similarly, the OutSystems PSIRT asks reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the OutSystems PSIRT on the OutSystems website through the appropriate coordinated disclosure.
If you are an OutSystems customer or partner and have access to our Support Portal, please report your vulnerability reports through OutSystems Support using the available channels.
Often, vulnerability scans, static code analysis, or dynamic code analysis are performed by third-party tools that output a report. Those reports shouldn't be sent untreated to OutSystems. Instead, they should first be analyzed.
This means that customers and partners must first analyze the findings in such reports and determine if:
Read the following articles before performing any type of testing on your OutSystems applications:
For customers who require help in analyzing reports from third-party tools, OutSystems has made available a service. To obtain more information about this service, customers should reach out to their Customer Success Managers (CSM), Account Representative, or Solution Design Manager (SDM).
After analysis, if the findings are related to the OutSystems platform, please submit a vulnerability report. The instructions to submit such a report to OutSystems support can be found next.
To submit a vulnerability report, use Support Portal by raising an incident.
This section must contain a summary of the vulnerability and its impact.
Example (not real):
LifeTime contains an insecure object reference vulnerability where any user can view the details of any other user. This may lead to data leak since details of the users can be accessed by any user.
Example (not real):
https://[URL]/users?uid=2If this information isn't consistently provided, the support case may ultimately be closed. There should be only one vulnerability being addressed per incident in order to facilitate the communication and the proper investigation.
Reports will be handled within the scope and SLA's of customers' and partners' contracts.
Any person that's not an OutSystems customer or partner is welcome to report a vulnerability to OutSystems PSIRT by using this form and filling in all the mandatory information.
OutSystems PSIRT may return to the reporter with additional questions or clarifications and provides the reporter with regular updates when relevant information comes to light.