SECURITY VULNERABILITY REPORTING PROGRAM

Security is important for Infor and its customers, and we work hard to maintain secure customer environments. If you are a security researcher and would like to report a security flaw in one of our environments, we encourage you to disclose your discovery to us quickly and responsibly. Infor will engage with security researchers when vulnerabilities are reported to us in accordance with the this security vulnerability reporting program.

Reporting security vulnerabilities

Infor encourages security researchers to report the details of any suspected vulnerabilities by submitting the form at the bottom of this page. We’ll review each submitted finding to determine its validity. We’ll respond to legitimate findings and remediate them in accordance with our commitment to security and privacy. We thank you for helping to make Infor products and environments as secure as possible.

Types of things to report:

  • Disclosure of sensitive customer information
  • Business logic flaws (e.g., price manipulation, bypassing authorization process, etc.)
  • Remote command execution on Infor hosts
  • Clickjacking/UI redressing (with proof of exploitability)
  • SQL injection, LDAP injection, SSTI injection
  • Server-side request forgery (SSRF)
  • XSS leading to account compromise or disclosure of sensitive information
  • Cross-site request forgery (CSRF) of authenticated pages that lead to meaningful impact
  • Resource exhaustion through amplification and other forms of denial of service (excluding DDoS)
  • Use of known-vulnerable/out-of-date libraries or services (with proof of exploitability)
  • Open redirects (with proof of exploitability)
  • Reflected file download (with proof of exploitability)

Noncompliance

Please refrain from any of the following activities on Infor assets:

  • Any activity that would degrade the operation of systems and applications
  • Accessing or attempting to access any accounts or data that don’t belong to you
  • Attempting to modify or destroy any data that doesn’t belong to you
  • Executing or attempting to execute any DDoS attack
  • Executing or attempting to execute any denial of service attack that affects other Infor customers
  • Uploading, posting, transmitting, linking to, sending, or storing malicious software
  • Uploading any active web shells or create persistence for the validation of bugs. Instead, retrieve a hostname and username for proof of your vulnerability. Failure to do so will result in reports being considered non-compliant if Malicious files are uploaded to Infor systems.
  • Sending unsolicited or unauthorized junk email, spam, phishing, or other forms of unsolicited messages to accounts that don’t belong to you
  • Testing third-party applications, websites, or services that integrate with or link to Infor systems
  • Any activity that violates any applicable law

Issues not to report

The following is a partial list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:

  • Unauthenticated CSRF or logout CSRF
  • Disclosure of known public files or directories (e.g., robots.txt)
  • Domain name system security extensions (DNSSEC) configuration suggestions
  • Banner disclosure on common/public services
  • HTTP/HTTPS/SSL/TLS security header configuration suggestions (without proof of exploitability)
  • Phishing or social engineering techniques
  • Presence of application or web browser auto-complete or save-password functionality
  • Disclosure of sensitive information (without proof of exploitability)
  • Self-exploitation (including self-XSS)
  • Missing security best practices
  • Missing security HTTP headers (without proof of exploitability)
  • Clickjacking/UI redressing (without proof of exploitability)
  • Use of known-vulnerable/out-of-date library (without proof of exploitability)
  • Intentional open redirects (without proof of exploitability)
  • Missing cookie flags (without proof of exploitability)
  • Reflected file download (without proof of exploitability)
  • Email configuration suggestions, including incomplete/missing SPF/DKIM
  • Physical attacks
  • Results of automated scanners (without proof of exploitability)
  • Issues related to networking protocols
  • Software version disclosure
  • Verbose error pages (without proof of exploitability)
  • DDoS attacks
  • Authenticated account/email enumeration
  • Internal IP address disclosure
  • Accessible non-sensitive files and directories (e.g., readme.txt, changes.txt, robots.txt, etc.)
  • Email spoofing descriptive error messages (e.g., stack traces, application or server errors, path disclosure)
  • Attacks requiring MITM or physical access to a user’s device
  • Comma-separated values (CSV) injection (without proof of exploitability)
  • Content spoofing, text injection (without proof of exploitability)
  • Lack of antivirus scanning for file uploads (without proof of exploitability)

VULNERABILITY SUBMISSION FORM


SAFE HARBOR

We consider activities conducted consistent with this security vulnerability reporting program to constitute “authorized” access under applicable anti-hacking laws. To the extent your activities, as specified herein, are inconsistent with certain restrictions in our Company Website Terms of Use, we waive those restrictions for the limited purpose of permitting security research as specified in this program. Infor strongly supports security research into our products and wants to encourage this type of research. Provided your actions are consistent with the provisions herein, we will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you in connection with your security vulnerability research, as described herein, and you have complied with the terms of this program, we will take commercially reasonable steps to make it known to such third party that your actions were conducted in compliance with this program. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of the terms of this program.