Bentley Systems requires that all researchers

• Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
• Perform research only within the scope set out below.
• Use the communication channels defined below to report vulnerability information to us.
• Keep information about any vulnerabilities you have discovered confidential between you and Bentley Systems until it is fixed.

• Not to pursue or support any legal action related to your research.
• To work with you to understand and resolve the issue quickly.

When conducting vulnerability research according to this policy, we consider this research to be

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (orsimilar state laws), and we will not initiate or support legal action against you foraccidental, good-faith violations of this policy.
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basisfor work done under this policy.
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our communication channels defined below before going any further.

If you believe you’ve found a security vulnerability in one of our products or platforms, please fill in the form on this page.

Make sure to have included the following information:

• Detailed description of the vulnerability containing info such as URL, full HTTP request/response, and type of vulnerability.
• Information nece ssary to reproduce the issue.
• If applicable , a screenshot and/or video of the vulnerability.
• Contact information, name, email, phone number, location. Submissions without this information will not be considered.
• IMPORTANT NOTE. You may only make the initial submission through the form. If you have any questions not mentioned in a form, please e-mail us at [email protected].

• DoS is strictly prohibited.
• Any form of credentials brute forcing is strictly prohibited.
• Public disclosure of a reported vulnerability before it has been fixed is prohibited.
• You may not destroy or degrade our performance or violate the privacy or integrity of our users and their data.
• Exploiting vulnerabilities (other than a generic PoC) is strictly prohibited and will be prosecuted according to applicable law.
• If a vulnerability provides unintended access to data, you must
  • Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and
  • Cease testing and
  • Submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary
    information.
• Bentley will not respond to extortion or other coercive, criminal acts (e.g. demands for payment up front in exchange for not exploiting a found vulnerability.

Unless otherwise informed by our team that the vulnerability has been resolved, please withhold public disclosure of the vulnerability for 90 days. Failure to do so will result in legal action.

Only the first researcher to report an issue or similar issues will be considered under this policy. This includes reports of the same issue in different environments (e.g., dev-, qa-, prod-)

Once your submission is received:

• The reported vulnerability will be analyzed.
• If we determine the submission is valid and meets the requirements of this policy, you may receive compensation.
• You will be informed when the issue is fixed.