Overview

We at ServiceNow are committed to maintaining a secure and trustworthy platform for our customers, partners, and users. We appreciate the contributions of the security research community and welcome reports of potential vulnerabilities submitted in good faith.

We do not authorize or encourage active testing, scanning, or auditing of its systems or infrastructure. However, we understand that vulnerabilities may occasionally be discovered incidentally.

If you believe you’ve identified a security issue related to our systems, products, or services, we ask that you report it to us responsibly. The guidelines below outline the best practices for submitting vulnerabilities to us.

Please do not disclose any issue to the public or a third party until we have resolved it. We welcome transparency and look forward to collaborating with you to ensure accuracy, safety, and alignment for all parties involved.

If your security issue is related to the Now Platform, you must:

Consult the product documentation located at https://docs.servicenow.com/ to understand the function of the platform
Obtain a test instance for security research by creating a developer account on https://developer.servicenow.com/ using your HackerOne-provided email address.

Scope

This policy is limited to technical security vulnerabilities affecting ServiceNow-owned products, services, and systems. Please ensure that your submission involves a technical issue and consider both the exploitability and potential security impact when reporting.

Please note:

We do not authorize active auditing, scanning, or penetration testing of our infrastructure.
Assets of acquired companies are in scope.

The following domains are examples of assets considered within scope:

*.servicenow.com
*.service-now.com
*.lightstep.com

Additional assets may be included in scope depending on acquisitions. Feel free to submit your report when you are in doubt.

Out of scope

Domains/subdomains outside of our systems, products, or services.
Vulnerabilities in ServiceNow partner or customer sites or instances.
Automated scanning or use of vulnerability assessment tools.
Vulnerabilities requiring physical access to a user’s computer or device.
Physical attacks against ServiceNow offices or data centers.
Issues based on vulnerabilities already remediated by ServiceNow.
Spam or social engineering attacks.
Unclaimed package namespaces or registry ownership (e.g., npm) without demonstrated impact to ServiceNow systems.
Destructive testing such as DoS/DDoS, resource exhaustion, destructive payloads, data deletion, or corruption.

Guidelines

Please follow the guidelines below when disclosing vulnerabilities.

Report any potential security issues as soon as possible. We will make every effort to quickly resolve the issue.
If you are a ServiceNow customer, submit your findings by following the instructions outlined in our Customer Penetration Testing (CPT) program documentation here (Now Support account required).
If you are a user of a customer’s ServiceNow instance and discover a potential vulnerability through normal use, we will review and, if appropriate, coordinate remediation with the customer responsibly.
Provide sufficient detail to reproduce the vulnerability, including a proof of concept.
Reports relating to issues not in the ServiceNow AI Platform are not in scope for public disclosure.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or accounts for which you have the explicit permission of the account holder.
Redact any language or images that may identify the program or ServiceNow customers from information about a fixed vulnerability.
Do not engage in social engineering or phishing of customers or employees.
Please do not request compensation for time and materials for discovered vulnerabilities through the Responsible Disclosure Program.

Vulnerability submissions

To report a vulnerability, please submit a report (including a proof of concept) via email to [email protected] and follow the auto-response instructions to fully submit your report. You can also submit directly here (HackerOne account creation required).

For ServiceNow product vulnerabilities: to ensure faster triage of your report, we require all reports to include information about changes to default settings and the addition of any plugins not installed by default. Please include information about any changes to the out of the box configuration in your report at the beginning of the section "Steps to Reproduce."

Thank you for helping keep ServiceNow and our users safe!