Back to legal

Responsible Disclosure Page

Last updated: January 14, 2026

RESPONSIBLE DISCLOSURE (Vulnerability Disclosure Program)

Workato values the work of the security research community and encourages responsible reporting of security vulnerabilities in our products and services. If you believe you have identified a security issue, please report it promptly so we can investigate and remediate it in a coordinated manner.

DISCLOSURE PROGRAM GUIDELINES

When reporting a vulnerability, we ask that you follow these guidelines to help ensure a safe and effective disclosure process:

  1. Review this policy before beginning or submitting any security research.

  2. Submit your report using the reporting form provided at the bottom of this page. Please include as much detail as possible, including clear steps that allow our security team to reproduce and locate the identified vulnerability.

  3. Do not take advantage of the vulnerability you discover. For example, do not download more data than necessary to demonstrate the vulnerability and do not delete or modify data belonging to others.

  4. Do not access customer or employee personal information or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.

  5. Do not disclose the vulnerability to others until it has been resolved or a coordinated disclosure timeline has been agreed upon. Public disclosure prior to remediation may increase risk to users.

  6. Do not use prohibited testing techniques, including attacks on physical security, social engineering, distributed denial-of-service (DDoS), spam, or attacks against third-party applications or services.

  7. Provide sufficient information for reproduction. In most cases, this includes the affected URL, endpoint, workflow, or component, along with a description of the issue. Complex vulnerabilities may require additional explanation or proof of concept.

  8. Allow a reasonable amount of time for response and remediation. We aim to acknowledge reports promptly, but time to resolution will depend on severity and complexity.

  9. Identification is encouraged. Workato may choose not to contact or otherwise interact with reporters who decline to identify themselves when submitting a report.

  10. Securely delete Workato information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.

NONCOMPLIANCE

Workato does not authorize, permit, or otherwise allow any activity that is illegal or in violation of this policy, Workato’s Terms of Use, or applicable law.

You are required to comply with all applicable laws and regulations relevant to security research activities. If you engage in activities inconsistent with this policy, you may be subject to criminal and/or civil liability.

You must not:

  • Access, acquire, remove, download, or modify data residing in an account that does not belong to you

  • Destroy, corrupt, or attempt to destroy or corrupt data or information not owned by you

  • Execute or attempt to execute any denial-of-service (DoS or DDoS) attack

  • Post, transmit, upload, link to, send, or store malicious software

  • Test in a manner that results in unsolicited or unauthorized spam, bulk messaging, or degradation of service

  • Test third-party applications, websites, or services that integrate with or link to Workato, except as expressly permitted for testing Workato functionality

  • Exploit a security vulnerability beyond the minimum testing required to demonstrate its existence

In summary, we ask that you refrain from harming or compromising Workato systems, violating Workato’s rights, the rights of third parties, or applicable law.

SCOPE

This program applies to security vulnerabilities affecting Workato-owned and controlled systems, products, and services.

If you have identified a potential vulnerability (excluding the out-of-scope issues listed below) in any system or asset you reasonably believe belongs to or is operated by Workato, please submit it through this program.

OUT-OF-SCOPE VULNERABILITIES AND ATTACKS

The following vulnerability classes and attack types are out of scope for this program and are not eligible for testing or reporting:

  • Physical security testing

  • Social engineering (including phishing, vishing, and smishing)

  • Denial-of-service or resource exhaustion attacks

  • Clickjacking on pages with no sensitive actions

  • Cross-site request forgery (CSRF) on unauthenticated or non-sensitive forms

  • Attacks requiring man-in-the-middle capabilities or physical access to a user’s device

  • Previously known vulnerable libraries without a working proof of concept

  • CSV injection without demonstrated exploitability

  • Missing SSL/TLS best practices without demonstrated security impact

  • Content spoofing or text injection issues without a viable attack vector

  • Rate-limiting or brute-force issues on non-authentication endpoints

  • Missing Content Security Policy (CSP) best practices

  • Missing HttpOnly or Secure cookie flags without exploitability

  • Missing or incomplete email authentication best practices (SPF, DKIM, DMARC)

  • Vulnerabilities affecting only outdated or unpatched browsers (more than two stable versions behind)

  • Software version disclosure, banner identification, or descriptive error messages

  • Tabnabbing

  • Issues requiring unlikely or impractical user interaction

Any activity that could disrupt Workato services is also considered out of scope.

SAFE HARBOR FOR GOOD-FAITH SECURITY RESEARCH

Workato considers security research conducted in good faith and in compliance with this policy to be authorized. Workato will not recommend or pursue legal action against individuals who responsibly disclose vulnerabilities in accordance with this program.

NO LIMITATION OF LIABILITY TO THIRD PARTIES

While Workato appreciates the reporting of potential vulnerabilities and does not intend to take action against individuals making good-faith efforts to comply with this policy, Workato cannot make representations on behalf of any third party.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, applications, services, or data of any non-Workato entity (including third-party service providers, customers, or partners), those entities may independently determine whether to pursue legal action or other remedies related to such activities.

RIGHTS AND OBLIGATIONS

You must comply with all applicable laws, rules, regulations, and Workato’s or any third-party applications’ policies and terms of use.

By submitting a report, you represent and warrant that:

  • The report is original to you and you have the right to submit it

  • Submission and use of the report do not violate any third-party rights or applicable law

By submitting a report, you grant Workato the unrestricted right to use the report for any purpose.

All Workato systems, platforms, and information accessed, observed, or acquired as part of this program are owned by Workato or its licensors, providers, or customers. You acquire no rights, title, interest, or ownership in such systems or information.

You may use Workato systems and access information solely for permitted security research activities under this program.

Workato may modify these terms or discontinue this program at any time.

VULNERABILITY SUBMISSION

Please submit vulnerabilities using the embedded HackerOne reporting form below: