Reporting Vulnerabilities to DocuWare

DocuWare welcomes vulnerability reports from security researchers and customers. If you believe you have found a security issue in a DocuWare product or service and would like to report anonymously, please submit it through this form. We ask that you:

This is an anonymous reporting form. No contact information is collected (nor any other information beyond the fields below), so DocuWare cannot respond to individual submissions.

DocuWare will not pursue legal action against those who act in good faith in accordance with the scope and rules of engagement.

If you prefer to report non-anonymously so we can coordinate this together, please see our security.txt for contact details. This is completely optional.

Scope

The following assets are in scope for this program:

Any asset or service not in the explicit scope defined above is considered out of scope. End-of-life versions of products or services are also out of scope.

Rules of Engagement

When researching vulnerabilities you must:

Priority Vulnerabilities

The following vulnerabilities are most relevant to this program:

Out of Scope Vulnerabilities

The following vulnerabilities are out of scope, subject to DocuWare's discretion:

Vulnerability Disclosure Program Details


Submit a Vulnerability Report

This form is anonymous. No contact information is collected or required. Because no follow-up is possible, DocuWare cannot request additional technical details or clarification after submission. For complex issues, further explanation or evidence is often necessary to process a report. As anonymous submission prevents any follow-up, anonymous reports may only be processed to a limited extent or possibly not at all. Please be clear and precise while communicating your findings, especially for complex ones.

After submitting, please wait a moment. It can take a few seconds to process your report — there's no need to submit again.

A short, descriptive title for the vulnerability.

Provide a step-by-step description that allows our team to reproduce the issue. Follow the Rules of Engagement above: include the target, preconditions, exact actions taken, and observed versus expected behavior.

Describe the potential business, technical, or human impact if this vulnerability were exploited. Consider confidentiality, integrity, and availability implications, and whether exploitation requires authentication or special privileges.