Rules of Engagement
The following rules of engagement (ROE) apply to the security assessments conducted by the customer.
General Guidelines
The Security Test Plan created using the Customer Security Assessment Authorization Request Form must be approved before testing begins. Any changes in the approved schedule may require submitting a new form and re-approval.
Any vulnerabilities identified during the test must be promptly reported to Guidewire through a Community case. Follow the guidelines detailed in article 000032877 in Community.
Upon request from Guidewire, the customer shall immediately discontinue the test and confirm discontinuation via email to psirt@guidewire.com.
Test restrictions:
- The customer will ensure that testing is strictly limited to the in-scope URLs and environment. The testing must not target other environments, cloud customer resources, or shared services.
- Customer security testing will be limited only to black box or grey box security tests of the specified URLs. Testing of any other components, such as Amazon Web Services (AWS) infrastructure, is prohibited.
- The customer may not use an environment containing production data to perform this test.
- The customer must ensure that the automated test load (i.e., requests/connects per second) does not cause any service disruption.
- The customer must have prior written approval from Guidewire to subcontract, assign, or transfer the test to third parties.
Vulnerability testing:
- Vulnerability testing (including any exploitation) shall only be limited to gathering adequate evidence for proof of concept or the existence of vulnerability. The customer will not attempt to exploit the identified vulnerability further to gain access to underlying systems, escalate privileges, or move laterally within Guidewire Cloud.
- The customer must obtain permission from Guidewire before executing any form of remote code execution.
Prohibited Test Cases: The following test cases are strictly prohibited:
- Any tests that attempt Denial of Service (DOS), Distributed Denial of Service (DDOS), or brute-force attacks
- Installation or upload of any malicious files (viruses, bots, trojans, rootkits, or any such executables)
- Attempted phishing or other social engineering attacks directed against Guidewire employees, vendors or contractors
- Any intensive network fuzzing or aggressive automated testing that generates significant traffic or performance degradation
Except for the test report, the customer agrees to erase and/or destroy all other information, findings, test results, code snippets, etc., associated with the test.
Guidewire reserves the right to respond to any actions on its assets that appear to be malicious.
Reporting Requirements
After the test, the customer shall promptly validate all findings. The validation requires a qualified security resource from the customer to manually review and validate the results (especially for automated scan report output) before submitting. Guidewire reserves the right to reject unvalidated or poorly validated reports, including reports with many false positives.
All potential vulnerabilities must be reported to Guidewire through a Community case. Follow the guidelines detailed in article 000032877 in Community.
Customer Responsibilities
The customer will perform the test competently and professionally, using a reputable third party or an equally qualified resource to complete it according to the defined engagement rules.
All parties agree to maintain strict confidentiality regarding the report findings and shall not disclose the report to any individual, public, or entity other than its employees and only on a need‑to‑know basis.
The customer or third party conducting the tests is responsible for any damages caused by failing to abide by these rules of engagement.
Additional Resources
- Community Article: How to report potential security vulnerabilities in Guidewire products and/or raise a non-vulnerability security inquiry (000032877)
https:community.guidewire.com
Was this page helpful?