At SAP we have been offering Bug Bounty programs for a while now. That also includes the SAP S/4HANA , as described in a previous post. However, so far the SAP S/4HANA Bug Bounty program was focused on SAP S/4HANA on Premise.
Until now: We are excited to announce the availability of the Bug Bounty Program for SAP S/4HANA Public Cloud.
As described earlier, we have several objectives in offering a Bug Bounty Program for our core product, SAP S/4HANA. One is to establish an external security verification platform for S/4HANA, but we also wanted to leverage the expertise of external researchers and penetration testers. In addition, while we have quite a few security measures in place, both at SAP in general, and also in the SAP S/4HANA development, most measures like Threat Modeling, Application Security Testing or Penetration Tests are by nature limited to the phase before SAP S/4HANA is available to you as our valued customers.
With our Bug Bounty Program we enable a continuous security verification possible 24/7 – something which is especially important and, we believe, valued in a cloud environment.
Let’s have a look at what the new SAP S/4HANA Cloud Bug Bounty Program contains. The system is a current SAP S/4HANA Cloud system, just like you would find with any of our Public Cloud customers. The activated scope includes Finance, Logistics & Master Data Maintenance – the most common functionalities that SAP S/4HANA Cloud has to offer.
In order to represent a “real” customer system as best as possible, we have also included some data to play around with. Additionally, from a technical point of view, our Bug Bounty SAP S/4HANA Cloud system is setup just like any customer system. including all hardening and security measures which have been implemented in our regular data centers. It has to be, since the whole idea is to find realistic vulnerabilities.
In other words, both from a functional perspective as well as from an infrastructure point-of-view, the SAP S/4HANA Cloud Bug Bounty System is as close to a live customer system as you can get.
Our partner in this endeavor is Bugcrowd. Bugcrowd is specialized on Bug Bounty programs, and especially in our case, where SAP know-how is advised, researchers who access our SAP S/4HANA Cloud system are hand-picked SAP security researchers. Which means that those security researchers across the globe with signed NDA onboarded via Bugcrowd platform can now test the SAP S/4HANA Cloud Bug Bounty Service and will be rewarded for security findings under the ‘Pay for Performance’ model.