Submitting an Identified Vulnerability
Guidewire requests customers to report any potential vulnerabilities in our prGuidewire requests customers to report any potential vulnerabilities in our products or platform privately. Effective communication and reporting of findings are critical for ensuring the timely resolution of security issues and maintaining our customers' trust. This guide outlines the information that should be included in a vulnerability report and the process for submitting the report to Guidewire.
Vulnerability Report Content
The contents of a vulnerability report should include the following information to allow the Guidewire PSIRT to verify and reproduce the issue (example provided in the Appendix):
- Title of the vulnerability
- Risk rating
- Common Vulnerability Scoring System (CVSS) score
- CVSS vector
- Description
- Proof of concept (steps to reproduce)
- Affected assets/URLs
- Recommended remediation
Submission Process
To report a vulnerability, follow the guidelines detailed in article 000032877 in Community.
Example
The following is an example of the information required to assess a sample vulnerability.
Note: The following submission is intended as an example only
Vulnerability #1: Directory Listing Vulnerability
| Risk Rating | Low |
|---|---|
| CVSS Score | 3.9 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R/CR |
Description
It was observed that the application is disclosing the directory structure on the server. Therefore, the web server must be configured to display the list of files in this directory.
Proof of Concept
The screenshots below display the application disclosing the directory structure on the server.
>>> POC Screenshots with Steps to reproduce <<<
Recommended Remediation
The recommendation is to restrict directory listings from the web server configuration
Reference Link(s)
https://portswigger.net/kb/issues/00600100_directory-listing
Affected URL(s)
https://example.com
Additional Resources
- Community Article: How to report potential security vulnerabilities in Guidewire products and/or raise a non-vulnerability security inquiry (000032877)
Was this page helpful?