Responsible disclosure
Reporting security vulnerabilities
At SysAid, maintaining a secure and trustworthy platform for our customers, partners, and users is our top priority. We recognize and appreciate the valuable role that the security research community plays in helping us achieve this goal.
While we do not authorize or encourage active testing, scanning, or auditing of our systems or infrastructure, we understand that vulnerabilities may occasionally be discovered incidentally.
If you believe you’ve found a potential security issue related to our systems, products, or services, we encourage you to report it to us responsibly. This policy outlines the guidelines and scope for responsible disclosure.
To report a vulnerability without participating in our bug bounty program, please email us at vulnerabilities@sysaid.com. Please note that rewards are only eligible for submissions made through our official bug bounty program on HackerOne.
When to report issues
Scope
This policy covers technical security vulnerabilities in SysAid-owned systems, products, and services.
Examples of assets within scope include:
- https://*.sysaidit.com
- https://www.sysaid.com
- SysAid ITSM On-Premise Executable
Additional assets may be considered in-scope following acquisitions or other changes. If you’re unsure whether an asset is in scope, feel free to report your findings.
Please note:
We do not authorize active auditing, scanning, or penetration testing of our systems.
Out of scope
The following are considered out of scope for this policy:
- Domains or subdomains outside of SysAid-owned systems and services
- Vulnerabilities in customer or partner ServiceNow instances
- Distributed Denial of Service (DDoS) vulnerabilities
- Automated scanning or the use of vulnerability assessment tools
- Vulnerabilities requiring physical access to a user’s device
- Physical attacks against SysAid offices or data centers
- Issues previously remediated by SysAid
- Spam, phishing, or social engineering attacks
Guidelines for submissions
To help us investigate and resolve potential issues quickly and safely, please follow these best practices:
Report vulnerabilities as soon as possible via the submission form or, if you’re a customer, through Customer Care.
Focus areas
We’re particularly interested in vulnerabilities that may have a direct security impact on our services, including:
- Cross-Instance Data Leakage or Access
- Server-side Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- Stored or Reflected Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection (SQLi)
- XML External Entity (XXE) attacks
- Access Control vulnerabilities (e.g., IDOR)
- Path or Directory Traversal issues
- Connect App Authorization Bypass
While we do not prioritize issues related to enumeration or basic information gathering, we welcome submissions that demonstrate actual impact.
Rewards
Findings not explicitly listed in the scope may still be reported and will be reviewed on a case-by-case basis. Reward decisions are made at the discretion of the SysAid Security Team.
We use the CVSS (Common Vulnerability Scoring System) to consistently assess and prioritize reported issues. CVSS is our baseline, Sysaid has the right to amend the score based on it’s internal considerations. In the event of a conflict between CVSS and other scoring systems, we defer to the CVSS score.
Hall of Fame
We are proud to recognize and thank individuals who have helped us improve our platform by
reporting vulnerabilities discovered responsibly. Your efforts are truly appreciated.
Coming soon—your name could be here!
Add a contribution and get highlighted.
Top rated on G2, Capterra, and more
