Who We Are
The ServiceNow Security Lab site is a joint conglomeration of content from several ServiceNow security teams and security minded contributors throughout the company. The content contained herein is the product of thorough original security research, vulnerability discovery and analysis, and other significant security efforts. These works are presented here to contribute high quality security related information and awareness back to the larger Internet community around the Now Platform® technologies and other related open-source technologies. Some of the contributing ServiceNow teams are identified below:
PSIRT
The ServiceNow PSIRT (Product Security Incident Response Team) handles the incident response function around software security defects (vulnerabilities). It handles reporting, tracking, remediation, and coordination up through resolution for vulnerabilities in code that could affect the Now Platform®. It also oversees the Coordinated Vulnerability Disclosure (CVD) program for ServiceNow.
Security Research
The ServiceNow Security Research team performs technical security research across a wide range of topics. In addition to its open-ended research, it produces investigative reports that drive a reduction in operational security risk, and provides guidance on primary security controls, best practices, and product enhancement.
Red Team
The ServiceNow Red Team proactively executes opportunistic attack simulation exercises across the entire organization to assess and reinforce ServiceNow’s resiliency against modern adversary tactics, techniques, and procedures (TTPs).
What We Do
These are some of any many areas that we focus on during the pursuit of security research and vulnerability handling. While non-exhaustive, it can provide some insight into the possible breadth and depth of what can be found here on the ServiceNow Security Lab site.
Vulnerability Analysis
Our team members perform in-depth discovery, triage, and analysis of vulnerabilities identified and reported within the tech stack and associated technologies.
Original Research
Our contributors leverage a wide range of techniques to dig into the full stack of a given research subject, many times developing new techniques and tooling in the process. The results of such research are commonly contributed back into the tech stack(s) and to the community at large.
Bug Bounties
As part of ServiceNow’s Coordinated Vulnerability Disclosure program, we operate a Bug Bounty Program (BBP) to further enumerate any vulnerabilities within the technologies we are concerned with. More information about the BBP can be read here.
Third-Party Vulnerability Coordination & Collaboration
The ServiceNow PSIRT is a full member of FIRST (Forum of Incident Response and Security Teams), a MITRE CVE Numbering Authority (CNA) partner, and ServiceNow is also a member of several ISACs as well. Through these various channels, we can coordinate vulnerability information related to ServiceNow technologies both inbound and outbound—collaborating on rapid awareness and understanding of the issues at play.
Community Awareness
We make our research and results available through advisories, content publications, proofs-of-concept, and various other public channels in an effort help the larger community gain awareness and helpful knowledge.
Improving Security Mindfulness
ServiceNow believes in building a better, and more secure, workflow. A substantial part of this comes from increasing the security mindfulness of those contributing to the platforms where work is done. As a substantial supporter and enabler of the growing Citizen Developer movement, ServiceNow believes in enabling those contributions, in part, through content that can be found here and other of ServiceNow’s sites.
Getting involved
ServiceNow believes in building strength and our community, and wants to help interested ethical security researchers and developers better understand the security in our products and platform technologies. For those interested, please click the button below for find out how.