Bizagi is committed to resolving vulnerabilities to better meet the needs of its customers and the broader technology community. This document describes Bizagi’s policy for receiving reports related to potential security vulnerabilities in its products, in addition to the company’s standard practice related to informing customers of verified vulnerabilities. 


The rules stated in this document apply to any external party that wants to conduct Vulnerability or Security Assessments in our product and services.


1. When to contact Bizagi Security Team

You should contact the Bizagi Security Team by sending an e-mail to security.bugs@bizagi.com in the following situations:
•   You have identified a potential security vulnerability in one of our commercial offering services.
•   You have identified a potential security vulnerability in one of our internal services, like CMS, portal web pages, and others. 

After your incident report is received, the appropriate personnel will contact you to follow up on your issue. To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via e-mail. We are equipped to receive messages encrypted using S/MIME. A copy of the public key that can be used to send encrypted email can be found here: 

The security.bugs@bizagi.com email address should only be used to report product or service security vulnerabilities. It is not for technical support information; as such, any other content received will be dropped. For technical and customer support inquiries, please visit www.bizagi.com/en/customer-support. Our team will attempt to acknowledge receipt of all submitted reports within seven days. 

2.   Receiving Security Information from Bizagi

Technical Security Information about our products and services is distributed through several channels: 
a)   Bizagi distributes information to customers about security vulnerabilities via e-mail. In most cases, we will issue a notice: 

•   When we have identified a practical workaround or fix for the particular security vulnerability. 
•   In the absence of a workaround and when the vulnerability has become widely known to the security community. 

As each security vulnerability case is different, we can take alternative actions to issue security notices. Bizagi determines whether to accelerate or delay the release of a notice or not issue a notice at all. 

b)   Bizagi can also distribute security-related information to public newsgroups or electronic mailing lists. This is done on an ad hoc basis, depending on how Bizagi perceives the relevance of each notice.

c)   Bizagi works with the formal incident response community to distribute information. Many company security notices are distributed by regional CERT while they are sent through company information distribution channels. All aspects of this process are subject to change without notice. No level of response is guaranteed for any specific issue or class of issues. 

3.   Rules of Engagement

This section describes the conditions of the “Rules of Engagement” for customers or external security researchers that wish to perform penetration tests or vulnerability analysis in Bizagi applications or services. We have to be specific and limit all penetration or security tests to specific assets covered in this scope to avoid unintended consequences to other customers. These Rules of Engagement allow you to effectively evaluate Bizagi’s security while preventing harm to other customers or specific Bizagi services. 

3.1.   In Scope Services and Products

The Bizagi Cloud platform is defined as including in the following Bizagi products: 
•   Bizagi Studio (Desktop Application)
•   Management Console (Desktop Application)
•   Automation Service
•   Management Console Web
•   Customer Portal
•   Accounts and User Register
•   Modeler Services
•   Studio Collaboration Services
•   Artificial Intelligence
•   Business Intelligence
•   Bizagi main portal: https://www.bizagi.com
•   Bizagi help site: https://help.bizagi.com

Specific environments for Bizagi customers require previous authorization from Bizagi. 

3.2.   In Scope Vulnerabilities

Only the following vulnerabilities will be considered as part of submissions:
•   Injection vulnerabilities like OS Command Injection, SQL Injection, Code Injection, etc.
•   Cross-Site Scripting (XSS)
•   Cross-Site Request Forgery (CSRF)
•   Cross-tenant data tampering or access
•   Insecure Direct Object References IDOR
•   Insecure Serialization
•   Using components with known vulnerabilities
o   Requires a full proof of concept (PoC) demonstrating the real impact of the vulnerability
•   Lack of Authentication controls
•   Lack of Authorization controls

3.3.   Prohibited Actions during Security Testing

Testing the following vulnerabilities are not covered and require a previous authorization from Bizagi to be tested:
•   Any kind of Denial-of-Service DoS Attack. 
•   Performing automated services testing that generates significant amounts of traffic. 
•   Gaining access to any data that is not wholly your own. For instance, taking advantage of a vulnerability to see and exfiltrate any Bizagi internal information, or information/ data generated by any customer related to Bizagi. 
•   Moving beyond “proof of concept” and trying to get more high-level access, like Server take over or Web Server defacement. 
•   Using our services to distribute phishing, spam, or malware campaigns. 
•   Using our services to install malicious programs that can wear out CPU, Memory or any other performance capability in our services.

Even with these prohibitions, Bizagi reserves the right to respond to any actions on our networks that appear to be malicious. 

Bizagi also prohibits the publication of known vulnerabilities without a previous consent. Remember, this action is considered as harmful for us, and it may have legal actions. 


4.   Required Information for Vulnerability Reports

This section describes the general aspects that should be considered before submitting a new vulnerability. 

To guarantee effective communication between our security team and external pen-testers, please provide us with the following information regarding your findings:  
•   Product Name
•   Version Number using Bizagi nomenclature 
•   Time and date of discovery
•   Vulnerability Simplified Name
•   Severity Level or Risk (we encourage you to use CVSSv3 score)
•   Technical Description and steps to reproduce (provide what actions were being performed and the result as clearly as possible)
•   Sample code (if possible, provide the code, script or Proof of Concept that was used to reproduce the vulnerability)
o The sample code must be limited to demonstrate the vulnerability. Do not try to access information you do not own. 
•   Friendly Contact Information – best method to reach you
•   For Bizagi Cloud Platform vulnerabilities.
•   Disclosure Plan(s) – Current Plan to Disclose vulnerability
•   Recommendation – If you are able to, please add a recommendation to advise our security team
•   For Client-Side Vulnerabilities, please include Browser vendor and version

Bizagi considers any report lacking this basic information null, and our team cannot work on the report. Bizagi reserves the right to request any additional information about the vulnerability. 


5. Vulnerability Disclosure Terms

By submitting a new report and the security research, the submitter, as an Ethical Hacker, accepts the following terms:
a)   Submitter cannot perform any harmful actions to Bizagi, our assets, our employees, or customers that can extend the scope of a Proof of Concept and can compromise Confidentiality, Integrity, or Availability. Bizagi reserves the right to consider and estimate the security research actions in case of suspicious of harmful actions. 
b)   Submitter will not publically reveal any general or detailed information about the report, since it can have impact Bizagi and our customers’ reputations. Information cannot be revealed without the previous consent of Bizagi security personnel. Publically sharing any of this information can only occur after the vulnerability is considered fixed and remediated. 
c)   Submitter cannot execute any other security testing that is not specifically described in this document without previous authorization of Bizagi security personnel. 
d)   Submitter will not be granted a reward for their research, and any requests along those lines will be considered extortion, as those actions do not follow the principles of an Ethical Hacker. 

5.1.   Remediation Timeframes and Patches

Bizagi reserves the right to define remediation plans, actions, and establish timeframes to release security patches. 

5.2.   Report for Customer Conducted Pen-tests

Please use our Bizagi support platform to report a new ticket and attach the pen-test report to it. We will analyze the pen-test report and then inform you of the actions that should be taken in your environment or inform you about new releases and patches to mitigate any security issues found in your reports. 

5.3.   Report for External Security Researchers

If you are not associated with any of our customers, please send the information described in the sections above to security.bugs@bizagi.com.

5.4.   Reward

Bizagi is happy and grateful to receive your vulnerability reports. In our vulnerability disclosure program, we are working to create a public hall of fame (posted on our public site). This hall of fame will include a section highlighting the top ten researchers who have reported vulnerabilities. Every quarter, this hall of fame will be updated in accordance with the number of reports sent by researchers.