Automation Anywhere Vulnerability Disclosure Policy (VDP)

Automation Anywhere, Inc., is committed to ensuring the safety and security of the products and cloud services that are licensed to our customers.

As such, if you discover a vulnerability in the products or cloud services that are provided to Automation Anywhere customers, Automation Anywhere appreciates your help in disclosing these vulnerabilities to Automation Anywhere in a responsible manner as set out in this Vulnerability Disclosure Policy (VDP).

• Respect the rules. Operate within the rules set forth here or speak up if in strong disagreement with the rules.
• Respect privacy. Make a good faith effort not to access or destroy another user’s data.
• Be patient. Make a good faith effort to clarify and support their reports upon request.
• Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never wilfully exploit others without their permission.

Scope

This program shall only apply to products or SaaS services that Automation Anywhere develops and licenses to its customers. This program does not apply to Automation Anywhere website and non-service-oriented infrastructure. Please note: Automation Anywhere does not condone any attempts to actively audit or exploit our cloud services, applications, and infrastructure.

This document applies to technical vulnerabilities on Automation Anywhere products or SaaS services that are developed and licensed by Automation Anywhere

The below are not in scope for testing.

• automationanywhere.com web properties
• Attacks involving stolen credentials or physical access to endpoint devices
• Automated Scans (without an exploitable PoC)
• Host Header Injection (without providing an exploitable scenario)
• Content Spoofing Vulnerabilities
• HTTP Trace method is enabled
• Denial of Service (DoS) or DDoS
• DLL hijacking (without escalation of privileges)
• DNS configuration related issues
• Issues present in older versions of browsers, plugins, or any other software
• Low Severity Clickjacking Vulnerabilities

Our Commitment (Safe Harbor)

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy and in good faith, Automation Anywhere is committed to not engaging in any legal action against you with respect to the scope of this Policy. This commitment does not apply to any attempts to actively audit or exploit Automation Anywhere cloud services, applications, and infrastructure.

Vulnerability submissions

Automation Anywhere encourages security researchers to share the details of any suspected vulnerabilities with the Automation Anywhere Security Team by sending an email to disclosure@automationanywhere.com.

Automation Anywhere will review the submission to determine if the finding is valid and has not been previously reported.