HCLTech Software Vulnerability Disclosure Policy
HCLTech Software recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.
The HCLTech Software PSIRT Team manages the receipt, investigation and internal coordination of security vulnerability information related to HCLTech Software offerings. This team will coordinate with HCLTech product and solutions teams to investigate and, if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.
HCLTech will aim to respond to new reports within 2 business days.
Customers and other entitled users of a product or solution should contact HCLTech Software Customer Support to report issues discovered in HCLTech offerings. If the HCLTech Software Customer Support Team determines that a reported issue is a security vulnerability, it will contact HCLTech Software Vulnerability Management Team, as needed.
Guidelines
- Initially, this Program Policy is limited to exploitable security vulnerabilities and CVE found in the products that HCLTech has acquired from IBM. Please see the list of In Scope products below. As we expand our Vulnerability Management Program, we will add more HCLTech Software products to this list.
- To be eligible to participate in this program, you must not be under contract to perform security testing for HCLTech Corporation, or an HCLTech subsidiary, or HCLTech client within 6 months prior to submitting a report.
- Only report vulnerabilities for HCLTech Software products that are currently in support. Check the “In Scope” section below for the product list. Only the current release and the previous release of any of these products are covered by this program.
- To protect our customers, HCLTech Software does not publicly disclose or confirm security vulnerabilities until HCLTech Software has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to HCLTech Software, you agree to not publicly disclose or share the vulnerability with any third party until HCLTech Software confirms that the vulnerability has been remediated or you have received written permission from HCLTech Software to publish information about the vulnerability.
- HCLTech Software does not participate in bug bounty awards programs at this time.
- In order for HCLTech to evaluate your vulnerability report, you agree to provide the following information about your finding: your email address (required) and details on the software product and version, a description of the issue, the hardware platform, steps to reproduce the issue, and potential impact. See section “How to Submit a Security Vulnerability”.
- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.
Out of Scope Vulnerabilities
The following submissions are not accepted as part of this program.
- Clickjacking on pages with no sensitive state changing actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Best practices that do not lead to an actionable vulnerability or do not have a CVE.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- HCLTech software that has reached End Of Support (EOS) is not accepted and will receive a "Not Applicable" response.
- Publicly known data meant to be accessed by anyone. Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.
Legal Notice
By submitting a vulnerability report to HCLTech, you agree that HCLTech may use any information provided by you in such report for any HCLTech business purpose (including but not limited to reproduction of the vulnerability, remediation of the vulnerability and general development purposes), without requiring consent from or payment to you.
Also, it is important that you notify us if any such information or associated intellectual property is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.
Thank you for helping keep HCLTech and our customers safe!
In Scope
At this time, the HCLTech Software Vulnerability Management Program is limited to the current release and previous release of the products listed below, which HCLTech Software acquired from IBM in July, 2019.
- HCLTech AppScan
- HCLTech BigFix
- HCLTech Commerce
- HCLTech Connections
- HCLTech Digital Experience (Portal & Content Manager)
- HCLTech Domino
- HCLTech Notes
- HCLTech Sametime
- HCLTech Unica
- HCLTech Verse