Thursday, October 24, 2013

Reporting security issues to SAP

Security in today’s interconnected digital world is very important. There are many hacks, threats, attacks, viruses reported on daily basis. Every year hackers are using more sophisticated methods. As many other software vendors SAP is very much into the security aspects within its software. Basis team of every customer running SAP should regularly monitor security SAP Notes (see service.sap.com/securitynotes). SAP have patch day - Tuesday. It is every second Tuesday of month (so called SAP Security Patch Day).

But purpose of this blog post is intended to provide basic guideline to someone who may find security issue within SAP software and wants to report it to SAP.

So how to report a Security Issue to SAP? Basic advice is provided by SAP at following page:

Basically there are two options depending who you are:

1 SAP Customer:  In case you find out possible security issue report it to SAP via SMP as customer message at service.sap.com/message

2 Independed:  If realize possible security issue, please report it to SAP Product Security Response Team via email mailto:secure@sap.com using PGP for e-mail encryption.



If you are curious how many issues were discovered by independed researchers and who are those people look at following page: http://scn.sap.com/docs/DOC-8218 Page provides that statistics – a kind of hall of fame or acknowledgments to security researchers.

No comments: