Vulnerability Disclosure Policy

Introduction

Securing our customers and their data is a #1 priority at Guidewire. If you believe you have discovered a security vulnerability, we strongly encourage you to contact us directly to responsibly disclose the issue. Guidewire’s Product Security Incident Response Team (PSIRT) is committed to working with security researchers to verify and address any reported vulnerabilities. Guidewire will notify impacted customers if any customer action is required to remediate a vulnerability.

Reporting a Potential Security Vulnerability

If you identify a potential security vulnerability, please securely share the details with the Guidewire Security team via email to psirt@guidewire.com. The vulnerability report should include the following:

• Title

• Description 

• Severity (Preferably based on CVSS 3.0)

• Impact

• Location i.e. Affected IP / URL, Parameter

• Remediation Recommendations

• Proof of Concept (should include):

  • Clear, concise steps on how to reproduce the vulnerability, 

  • Complete HTTP Request and Response (wherever applicable), 

  • Full-screen capture (wherever applicable)

Confidentiality

By engaging or participating in and/or submitting a security vulnerability to Guidewire, you agree to treat that information as the Confidential Information of Guidewire.

Rewards and Recognition

At this time, Guidewire does not offer a Bug Bounty Program or compensation to researchers for vulnerability reports.