Automation Anywhere, Inc., is committed to ensuring the safety and security of the products and cloud services that are licensed to our customers.

As such, if you discover a vulnerability in the products or cloud services that are provided to Automation Anywhere customers, Automation Anywhere appreciates your help in disclosing these vulnerabilities to Automation Anywhere in a responsible manner as set out in this Vulnerability Disclosure Policy (VDP).

• Respect the rules. Operate within the rules set forth here or speak up if in strong disagreement with the rules.
• Respect privacy. Make a good faith effort not to access or destroy another user’s data.
• Be patient. Make a good faith effort to clarify and support their reports upon request.
• Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never wilfully exploit others without their permission.

Scope

This program shall only apply to products or SaaS services that Automation Anywhere develops and licenses to its customers. This program does not apply to Automation Anywhere website and non-service-oriented infrastructure. Please note: Automation Anywhere does not condone any attempts to actively audit or exploit our cloud services, applications, and infrastructure.

This document applies to technical vulnerabilities on Automation Anywhere products or SaaS services that are developed and licensed by Automation Anywhere

The below are not in scope for testing.

• automationanywhere.com web properties
• Attacks involving stolen credentials or physical access to endpoint devices
• Automated Scans (without an exploitable PoC)
• Host Header Injection (without providing an exploitable scenario)
• Content Spoofing Vulnerabilities
• HTTP Trace method is enabled
• Denial of Service (DoS) or DDoS
• DLL hijacking (without escalation of privileges)
• DNS configuration related issues
• Issues present in older versions of browsers, plugins, or any other software
• Low Severity Clickjacking Vulnerabilities

Our Commitment (Safe Harbor)

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy and in good faith, Automation Anywhere is committed to not engaging in any legal action against you with respect to the scope of this Policy. This commitment does not apply to any attempts to actively audit or exploit Automation Anywhere cloud services, applications, and infrastructure.

Vulnerability submissions

Automation Anywhere encourages security researchers to share the details of any suspected vulnerabilities with the Automation Anywhere Security Team by sending an email to disclosure@automationanywhere.com.

Automation Anywhere will review the submission to determine if the finding is valid and has not been previously reported.

At Automation Anywhere’s sole discretion, you may be eligible for monetary compensation for your efforts.

Automation Anywhere will attempt to review and respond to your report within five (5) business days of submission.

Publication of Vulnerability

Following the successful fix of the vulnerability, Automation Anywhere will disclose the vulnerability and the successful remediation on our website, subject to the terms and conditions of the Responsible Disclosure Agreement. If you prefer to be credited by name, please provide Automation Anywhere your consent in writing (an email is sufficient).

Bounty Program

After remediation, you may be eligible to receive a bounty payment, subject to the terms and conditions of the Responsible Disclosure Agreement. While Automation Anywhere uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity, Automation Anywhere reserves the right, in its sole discretion, whether the vulnerability qualifies for a bounty payment.