Gartner Responsible Vulnerability Disclosure Program

Overview

Gartner is committed to maintaining the security of our systems and the information of our customers. We appreciate and encourage security researchers to alert us, and report potential vulnerabilities identified in any product, system or asset belonging to Gartner, including our global brands such as Capterra, GetApp, Software Advice and UpCity.

If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines below. 

Thank you in advance for your submission! We appreciate researchers assisting us in our security efforts.

Gartner Vulnerability Disclosure Program (VDP)

We accept vulnerability reports from independent security researchers, industry partners, vendors, customers and consultants. We recognize a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services. This vulnerability disclosure program (VDP) is offered to submit potential security findings.

Before participating in our VDP, conducting any testing of Gartner-branded properties or submitting a report, you must first agree to abide by the terms and conditions found here. You further agree to abide by the Gartner Terms of Use, and you agree to have your information processed in accordance with the Gartner Privacy Policy. Failure to abide by the terms and conditions will result in your exclusion from consideration as a security researcher under our program.

Scope

This policy applies to any digital assets owned, operated or maintained by Gartner, including public-facing websites. It applies as well to our digital markets brands such as Capterra, GetApp, Software Advice and UpCity.

Authorization

If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Gartner will not recommend or pursue legal action related to your research.

Our commitment to researchers

  • Trust. We maintain trust and confidentiality in our professional exchanges with security researchers.

  • Respect. We treat all researchers with respect and recognize your contribution to keeping our customers safe and secure.

  • Transparency. We will work with you to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy.

  • Common good. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.

What we ask of researchers

  • Trust. We request that you communicate about potential vulnerabilities in a responsible manner, providing sufficient time and information for our team to validate and address potential issues.

  • Respect. We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

  • Common good. We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address reported issues. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Gartner will deem the submission as noncompliant with this Vulnerability Disclosure Program.

In addition

  • You must not reside in a country currently on any sanction or embargoed country list where Gartner is established.

  • The reported vulnerability must be original; the first person to submit a valid report shall be credited.

  • You must not be the author of the vulnerable code.

  • You must not attempt brute-force attacks, denial of service attacks, or user credential harvesting.

  • You must not utilize social engineering of our employees and contractors to leverage exploitation of any kind.

  • In the event of disclosure of personal data of another person, you are directed to cease the affecting activity, document steps to replicate, and submit the report as soon as possible.

  • If you have discovered a vulnerability, do not disclose details of your findings publicly or to a third party.

Information you receive or collect about Gartner or its affiliates through the VDP, whether in oral, visual, written or electronic format, may be deemed proprietary and confidential (“Confidential Information”).

Vulnerability reporting

Gartner recommends that security researchers share the details of any suspected vulnerabilities across any asset owned, controlled or operated by Gartner (or that would reasonably impact the security of Gartner and our users) using the web form below. The Gartner Application Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation and then take appropriate action for resolution.

Note, when filling out the submission form below

Providing your contact address in the “Researcher Email” field will send you a confirmation message after submitting, where you can claim the submission with your Bugcrowd account. If you choose not to claim your submission, we cannot communicate with you, or list you in our acknowledgements page.