Security issue management
Critical NPM Security Alert
On April 29, 2026, four malicious open-source packages were distributed into the NPM ecosystem. These malicious versions appear to exfiltrate information, such as credentials, and attempt to propagate into downstream software packages as well as adjacent software repositories when installed on a system. If you are uncertain whether your systems have been affected, it is crucial to act promptly. Begin by following the mitigation steps outlined in https://me.sap.com/notes/3747787, to maintain your environment’s security. Promptly taking these actions will help protect your systems and data from potential risks.
Invitation-only SAP Bug Bounty Program
See more information, including list of participating products.
Report a security issue
SAP is continuously working on improving our security processes. Report a potential security issue using one of the options below.
We secure your business with strong infrastructure protection, continuous 24/7 monitoring, rapid incident response, and built-in disaster recovery. We enforce strict access controls, follow secure development practices, and maintain global certifications such as ISO 27001 and SOC reports. We provide transparency into policies, certifications, and monthly security patches through our Trust Center. While SAP protects the platform, customers manage user access and configuration under a shared responsibility model—working together to keep systems secure.
SAP customers
Report a customer security issue to find a solution and get real-time support from an expert.
Non-customers
Security researchers and other non-SAP customers can report any security vulnerability they discover in SAP products (whether on-premises or in the cloud) or on SAP-owned domains (such as the SAP Help Portal) to ensure responsible disclosure.
Security vulnerabilities that are reported will be acknowledged in our SAP Bug Bounty Program hall of fame.
Disclosure guidelines
Include the following details in the report, as applicable: issue category, affected product version with support package and patch level, necessary pre- and post-conditions for the exploit to work, description with proof of concept or exploit code, and impact of the issue if exploited.
Resources for SAP customers and partners
SAP customers and partners with a valid SAP user ID can visit My Trust Center, an area within SAP Support Portal that extends the public offering by granting access to SAP security policies, frameworks, subprocessors lists, and more.
SAP security notes
The SAP for Me portal is the central access point for customers and partners providing detailed information about their product portfolios including a list of all security notes.
SAP Security Patch Day
Fix vulnerabilities discovered in SAP products
Review notes from our monthly SAP Security Patch Day to learn about vulnerabilities discovered in SAP products and patches to protect your SAP landscape.
Acknowledging our security researchers
Learn about the security researchers who help us identify and solve vulnerabilities so that we can help maintain the safety of our customers and partners.