At Automation Anywhere, security is our priority, and we deeply care about maintaining the trust and confidence that our customers place in us. As an Automation Anywhere customer, you are welcome to carry out external security scans, assessments or penetration tests against your own registered Automation Anywhere tenant externally with prior approval. Scheduled testing must be pre-approved and conducted at a date and time that has been agreed with Automation Anywhere.

This page defines the scope, request for approval process, guidelines for reporting process for such an agreed upon, one time (one testing slot is allowed per approval), vulnerability testing and penetration testing activity by our customers. If you discover a vulnerability in our systems, application, or network infrastructure during such a test, Automation Anywhere appreciates your help in disclosing it to us in a responsible manner.

Scope

The scope of this testing is limited to only security vulnerabilities and weaknesses discovered on the Automation 360 production Cloud tenant URL that has been assigned to you, as one of our existing customers. The example of such a URL or domain will be something in the following format: https://sample_organization.automationanywhere.digital.

Request for approval process

Most customers rely on Automation Anywhere's ongoing 3rd party penetration testing conducted yearly by different vendors. Reports of these tests are made available under NDA along with any required remediation plans.

If you require to conduct your own penetration testing, then Automation Anywhere requests notification at least 2 weeks in advance. Contact Automation Anywhere support: Open a support case (A-People login required) for this request submission and notification. In the request notification, provide the following information:
  • Specific URLs planned to be tested
  • Region (if restrictive)
  • Period of testing, Start and End Dates when the testing will occur
  • IP addresses of the devices doing the testing
  • Methodology: Black box, White box, or Grey box
  • Automated scans: Yes or No
  • DOS type attacks: Yes or No
  • Brute force or dictionary type attacks: Yes or No
  • Other relevant information

Guidelines

Pay attention to the following guidelines while performing the testing:

  • Report any potential security issue as soon as possible. Automation Anywhere will make every effort to quickly respond and resolve the issue
  • Provide sufficient detail to reproduce the vulnerability, including proof of concept
  • Do not disclose an issue to the public or a third party until Automation Anywhere has provided an official response
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with applications and tenants you own or for which you have the explicit permission of the account holder
  • Redact any language or images that might identify or provide details about the application, our customers, or their vulnerabilities, if any
  • Do not engage in disruptive testing (such as Denial of Service DoS)) or any action that could impact the confidentiality, integrity, or availability of Automation Anywhere information and systems
  • Do not engage in social engineering or phishing of customers or employees
  • Do not request compensation for time and materials for the discovered vulnerabilities

Prohibited activities

Do not perform following activities:

  • Domains or sub domains outside the approved testing scope
  • Executing or attempting to execute any Denial of Service (DoS) attack
  • Vulnerabilities requiring physical access to a user’s computer or device
  • Testing for vulnerabilities in Automation Anywhere partner sites, third-party applications, websites, or services that integrate with or link to Automation Anywhere systems
  • Physical attacks against Automation Anywhere offices or data centers
  • Accessing, downloading, or modifying data residing in an account that does not belong to you
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software
  • Testing in a manner that would result in the sending unsolicited or unauthorized junk emails, spam, pyramid schemes, or other forms of unsolicited messages
  • Testing in a manner that would degrade the operation of any Automation Anywhere systems

Reporting

After the testing period has ended, submit the security vulnerability findings through Automation Anywhere support: Open a support case (A-People login required). When reporting vulnerabilities, provide the attack scenarios, specific detailed test cases, exploitability (if any) and the security impact of the vulnerability. Automation Anywhere commits to:

  • Working with you to understand and validate the issue
  • Addressing the risk (if deemed appropriate by Automation Anywhere)