Solutions

Webinar series

The future of AI-driven testing: Product release series

Hear directly from our product leaders, see early demos, and get a front‑row look at the innovations shaping our next chapter.

Learn more

Products

Agentic AI

AI Workspace

Agentic orchestration

Agentic Test Creation

Context-aware manual testing

Agentic Test Automation

End-to-end test generation

Test management

qTest

Enterprise test management

Test Automation

Tosca

Enterprise end-to-end

Testim

Custom web, mobile and Salesforce

Data Integrity

End-to-end data assurance

Quality Intelligence

SeaLights

Code and test quality analytics

LiveCompare

Change analytics for SAP

Performance Testing

NeoLoad

Load and performance testing

Explore all products

Featured webinar

Agentic Test Creation: AI-driven creation, analysis, and management

Boost release confidence with AI driven test creation that focuses quality work where it matters most for every release.

Learn more

Services & Support

Resources

Contact

Company

Company Management team Careers News Locations Partners

Blog Customer Portal

Trials & demos

Tricentis Vulnerability Disclosure Policy

Tricentis welcomes feedback from security researchers and our customers to help improve our security. If you believe you have discovered a vulnerability associated with any Tricentis assets, please contact us. By submitting a vulnerability report or participating in this vulnerability disclosure program, you agree to follow the guidelines in this Policy.

Reporting email address

Send your vulnerability reports under this policy to vdp@tricentis.com.

Systems in Scope

This Policy applies to any digital assets owned, operated, or maintained by Tricentis including tricentis.com. Tricentis reserves the right to modify the scope of covered systems at any time by updating this Policy, and such modifications shall be effective immediately upon posting.

Out of Scope

The following areas are out of scope for this policy:

HTTPS / TLS security headers suggestions
SPF / DMARC / DKIM / DNSSEC suggestions
Social engineering / phishing / spam
Hardware, Layer 2, or spoofing based attacks.

If you inadvertently test out-of-scope areas, please cease testing immediately and notify us. Continuing to intentionally test out-of-scope systems after we’ve notified you could impact your safe harbor protections.

Vulnerabilities discovered or suspected in third party systems or libraries should be reported to the appropriate vendor or applicable authority.

Our Commitments

When you work with us under this Policy, we’ll:

Respond to your report within thirty (30) business days of receipt, and work with you in good faith to understand and validate your report;
Keep you updated on progress at reasonable intervals-at least every 60 days until we resolve the issue;
Use commercially reasonable efforts to remediate discovered vulnerabilities based on severity level and within our operational constraints, provided that Tricentis shall have sole discretion to determine remediation timelines and methods; and
Provide safe harbor protections for your vulnerability research when you follow this Policy, as described in the Safe Harbor section below.

Our Expectations

In participating in our vulnerability disclosure program, you agree to and shall:

Report any vulnerability you’ve discovered within 72 hours. The more details you provide, the easier it will be for us to triage and fix the issue;
Avoid violating the privacy of others, disrupting our systems, destroying and/or modifying data, and/or harming user experience, and abide by applicable data protection laws and applicable anti-hacking and anti-circumvention laws;
Use only the vdp@tricentis.com to report vulnerability information and communicate with us;
Give us reasonable time to fix the issue;
If a vulnerability gives you unintended access to data: Only access the minimum data needed to demonstrate the vulnerability, stop testing immediately and report it if you encounter what you believe to be user data or personal data under data protection laws.
Do not engage in extortion.

Safe Harbor

Subject to your strict compliance with all terms and conditions of this Policy, including but not limited to the scope limitations and behavioral requirements set forth herein, Tricentis agrees that authorized vulnerability research conducted under this Policy shall be:

Authorized under anti-hacking laws, and we won’t take or support legal action against you for activities that follow this Policy in good faith; however, this only covers research within the scope defined here and doesn’t cover intentional, reckless, or negligent violations;
Authorized under applicable anti-circumvention laws, and Tricentis will not bring a claim against you for circumvention of technological protection measures when such circumvention is reasonably necessary to identify, analyze, or report security vulnerabilities in accordance with this Policy;
Exempt from restrictions in our General Terms of Use that would otherwise prohibit security research allowed under this Policy, we’re granting a limited waiver of those conflicting restrictions just for authorized vulnerability research that follows this Policy, with all other Terms of Use still applying; and
Lawful under applicable laws, beneficial to the security of Tricentis’s systems and the broader Internet community, conducted in good faith with the intent to improve security rather than cause harm or obtain unauthorized benefits.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. However, we reserve the right to revoke safe harbor protections if you violate the terms of this Policy, including, but not limited to, downloading or exfiltrating files, failing to immediately cease testing upon encountering any personal data as defined under applicable data protection laws, or engaging in extortionate behaviour.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please send an email to vdp@tricentis.com before going any further.

Note that the safe harbor applies only to legal claims under the control of Tricentis, and that the policy does not bind independent third parties.

Security Releases

Any security releases are included in product specific release notes which can be located under the Tricentis Support Hub.