If you find a vulnerability in ServiceNow systems, products, or network infrastructure, our Responsible Disclosure Program is the place to make a report.

If you find a vulnerability in this open-source project published by the ServiceNow Research team, please email servicenow-research@servicenow.com to report your findings.

We will process your report as soon as possible, depending on the severity of your report. We appreciate everyone’s help in disclosing vulnerabilities in a responsible manner.

Please follow the guidelines below when disclosing vulnerabilities:

• Report any potential security issue as soon as possible. We will make every effort to quickly resolve the issue.
• Provide sufficient detail to reproduce the vulnerability, including proof of concept.
• Please do not disclose an issue to the public or a third party until ServiceNow has resolved it.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or accounts for which you have the explicit permission of the account holder.
• Redact any language or images that may identify the program or ServiceNow customers from information about a fixed vulnerability.
• Do not engage in disruptive testing (such as DoS) or any action that could impact the confidentiality, integrity, or availability of information and systems.
• Do not engage in social engineering or phishing of customers or employees.
• Please do not request compensation for time and materials or discovered vulnerabilities.