Report a security-related concern
We take your security very seriously and investigate all vulnerabilities that you report to us. This page summarizes how we address potential vulnerabilities reported to Dynatrace.
If you believe you've identified a security problem in a Dynatrace product or service, please follow the procedure below.
-
See if someone else has already reported the problem.
Check the Dynatrace CVE status (Common Vulnerabilities and Exposures) page at cve-status.dynatrace.com for summaries of known vulnerabilities and exposures in Dynatrace components. Dynatrace sign-in is required.
-
If no one else has reported the problem, create a support ticket.
-
To see what information you and your security team need to create a ticket, see Report a security vulnerability in the Dynatrace Community.
-
To create a ticket, go to the Create a security request page, select Add, complete the form, and submit the ticket.
-
-
Next, join our bug bounty program. We need people like you. Sign up on HackerOne to participate in our bug bounty program.
Report a vulnerability
If you have security concerns or suspect a vulnerability in a Dynatrace product or service, we encourage you to report the vulnerability to us immediately. To help us quickly respond to any suspected vulnerability, provide all relevant information—for example, proof-of-concept exploit code, tool output, affected product or component, and version number—that may help us reproduce and evaluate the severity of the problem. All information you provide to Dynatrace is kept confidential.
We'll respond to you, acknowledge receipt of your vulnerability report, and outline the next steps.
Evaluate and respond
When we receive a vulnerability report, we thoroughly investigate the severity of the security problem and share the results with you, along with any remediation. During this process, we keep you regularly informed of our progress.
We treat all reported vulnerabilities seriously. We ask for your understanding that remediation of valid security problems takes time. The amount of time varies based on the complexity and severity of each vulnerability.
We respectfully ask you not to publish any information about reported vulnerabilities before we've analyzed then, addressed them, and informed our customers (if required), as doing otherwise could put our customers at risk. Please don't share or publish any data that belongs to our customers.
Disclosure of vulnerabilities
If we do confirm a reported vulnerability, following our remediation efforts, we will list the fixed vulnerability in Dynatrace release notes.