Responsible Security Disclosure Policy

Reporting Security Vulnerabilities

While we try to be proactive in preventing security problems, unfortunately, it is inevitable that security flaws will be discovered in all software, including our own. It is standard practice in open source to responsibly and privately disclose to the vendor — in this case Marc Bernard Tools — a security problem before publicizing, so a fix can be prepared, and we can take proactive steps to protect the users of Marc Bernard Tools.

What is a Security Issue?

A security issue is a type of bug that can affect the security of SAP installations.

Specifically, it is a report of a bug that you have found in the code for Marc Bernard Tools and that you have determined can be used to gain some level of access to an SAP system running Marc Bernard Tools that you should not have.

Please keep in mind, there are 3rd-party add-ons for Marc Bernard Tools that we do not develop. If you have found a vulnerability in a 3rd-party add-on for Marc Bernard Tools, while we likely can’t fix it, it’s likely we know who can and want to help keep the Marc Bernard Tools ecosystem healthy.

Where Do I Report Security Issues?

If you would like to contact us with a security vulnerability or possible vulnerability, please contact us via email — . This address can be used for reporting vulnerabilities for any Marc Bernard Tools solution. Please do not use this email address for support (use Support Ticket instead).

In all cases, you should not share the details with anyone else until after the fix for the bug has been officially released to the public. If you have a verified vulnerability, to ensure that the vulnerability is responsibly disclosed and can be tracked by the security community, we recommend requesting a CVE ID.