Security Vulnerability Reporting Program
Security is important for Infor and its customers, and we work hard to maintain secure customer environments. If you are a security researcher and would like to report a security flaw in one of our environments, we encourage you to disclose your discovery to us quickly and responsibly. Infor will engage with security researchers when vulnerabilities are reported to us in accordance with the this security vulnerability reporting program.
Reporting Security Vulnerabilities
Infor encourages security researchers to report the details of any suspected vulnerabilities by submitting the form at the bottom of this page. We’ll review each submitted finding to determine its validity. We’ll respond to legitimate findings and remediate them in accordance with our commitment to security and privacy. We thank you for helping to make Infor products and environments as secure as possible.
Types of Things to Report
- Disclosure of sensitive customer information
- Business logic flaws (e.g., price manipulation, bypassing authorization process, etc.)
- Remote command execution on Infor hosts
- Clickjacking/UI redressing (with proof of exploitability)
- SQL injection, LDAP injection, SSTI injection
- Server-side request forgery (SSRF)
- XSS leading to account compromise or disclosure of sensitive information
- Cross-site request forgery (CSRF) of authenticated pages that lead to meaningful impact
- Resource exhaustion through amplification and other forms of denial of service (excluding DDoS)
- Use of known-vulnerable/out-of-date libraries or services (with proof of exploitability)
- Open redirects (with proof of exploitability)
- Reflected file download (with proof of exploitability)
Noncompliance
Please refrain from any of the following activities on Infor assets:
- Any activity that would degrade the operation of systems and applications
- Accessing or attempting to access any accounts or data that don’t belong to you
- Attempting to modify or destroy any data that doesn’t belong to you
- Executing or attempting to execute any DDoS attack
- Executing or attempting to execute any denial of service attack that affects other Infor customers
- Uploading, posting, transmitting, linking to, sending, or storing malicious software
- Uploading any active web shells or create persistence for the validation of bugs. Instead, retrieve a hostname and username for proof of your vulnerability. Failure to do so will result in reports being considered non-compliant if Malicious files are uploaded to Infor systems.
- Sending unsolicited or unauthorized junk email, spam, phishing, or other forms of unsolicited messages to accounts that don’t belong to you
- Testing third-party applications, websites, or services that integrate with or link to Infor systems
- Any activity that violates any applicable law
Issues Not to Report
The following is a partial list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:
- Unauthenticated CSRF or logout CSRF
- Disclosure of known public files or directories (e.g., robots.txt)
- Domain name system security extensions (DNSSEC) configuration suggestions
- Banner disclosure on common/public services
- HTTP/HTTPS/SSL/TLS security header configuration suggestions (without proof of exploitability)
- Phishing or social engineering techniques
- Presence of application or web browser auto-complete or save-password functionality
- Disclosure of sensitive information (without proof of exploitability)
- Self-exploitation (including self-XSS)
- Missing security best practices
- Missing security HTTP headers (without proof of exploitability)
- Clickjacking/UI redressing (without proof of exploitability)
- Use of known-vulnerable/out-of-date library (without proof of exploitability)
- Intentional open redirects (without proof of exploitability)
- Missing cookie flags (without proof of exploitability)
- Reflected file download (without proof of exploitability)
- Email configuration suggestions, including incomplete/missing SPF/DKIM
- Physical attacks
- Results of automated scanners (without proof of exploitability)
- Issues related to networking protocols
- Software version disclosure
- Verbose error pages (without proof of exploitability)
- DDoS attacks
- Authenticated account/email enumeration
- Internal IP address disclosure
- Accessible non-sensitive files and directories (e.g., readme.txt, changes.txt, robots.txt, etc.)
- Email spoofing descriptive error messages (e.g., stack traces, application or server errors, path disclosure)
- Attacks requiring MITM or physical access to a user’s device
- Comma-separated values (CSV) injection (without proof of exploitability)
- Content spoofing, text injection (without proof of exploitability)
- Lack of antivirus scanning for file uploads (without proof of exploitability)
Reporting a Vulnerability (VDP)
If you identify a potential security issue, please report it to us via email: vulnerabilityreporting@infor.com
To help us investigate efficiently, include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Any supporting materials (e.g., screenshots, proof-of-concept code)
- The affected system, application, or URL
We are committed to acknowledging your report promptly and working with you to resolve the issue. Any personal data you provide will be processed for the purpose of investigating and resolving the reported vulnerability, in accordance with our Privacy Policy at: https://www.infor.com/about/privacy.
Bug Bounty Program (Rewards)
If you are interested in receiving monetary rewards for valid vulnerability findings, you must participate through our official bug bounty program hosted with Bugcrowd.
To be eligible for rewards:
- You must register on the platform. Please check Bugcrowd’s researcher onboarding page https://docs.bugcrowd.com/researchers/onboarding/researcher-onboarding/. By registering, your personal data will be processed by Bugcrowd in accordance with their privacy policy.
- Send us an email via vulnerabilityreporting@infor.com that you are interested to join the private bug bounty program
- Submit findings through the Bugcrowd platform (not via email)
- Ensure the vulnerability is within the defined program scope
- Ineligible from the bug bounty program: Infor employees, partners, contractors, and consultants
Only submissions made through the bug bounty platform will be considered for financial rewards.
Safe Habor
We consider activities conducted consistent with this security vulnerability reporting program to constitute “authorized” access under applicable anti-hacking laws. To the extent your activities, as specified herein, are inconsistent with certain restrictions in our Company Website Terms of Use, we waive those restrictions for the limited purpose of permitting security research as specified in this program. Infor strongly supports security research into our products and wants to encourage this type of research. Provided your actions are consistent with the provisions herein, we will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you in connection with your security vulnerability research, as described herein, and you have complied with the terms of this program, we will take commercially reasonable steps to make it known to such third party that your actions were conducted in compliance with this program. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of the terms of this program.