Security Policy
As a core infrastructure component of our customers, the security of Camunda Platform (also referred to as the ‘software’) takes top priority and is maintained constantly.
For information on our Camunda Security Policy, visit the Camunda Trust Center.
Penetration Testing
Camunda has contracted an independent, external security advisor to regularly conduct penetration tests of the software. The advisor operates according to industry best practices recommended by the OWASP organization such as the OWASP Testing Guide. The tools used for testing include Burp Suite and DefenseCode Thunderscan
Any vulnerabilities detected are handled according to our process for security issue management.
Test history:
| Date | Test Focus | Result Summary |
|---|---|---|
April 2023 |
Camunda Automation Platform Version: 7.19.0-ee External security assessment using the graybox approach to test the Camunda Automation Platform web applications and REST API. |
No critical vulnerabilities were detected. Three lesser vulnerabilities were detected and submitted for treatment to our security issue process:
|
June 2022 |
Camunda Automation Platform Version: 7.17.0-ee Camunda Optimize Version 3.8.0 External security assessment using the graybox approach to test the Camunda Automation Platform web applications and REST API plus Camunda Optimize. |
No critical vulnerabilities were detected. Two lesser vulnerabilities were detected and submitted for treatment to our security issue process:
One general security advice was given. |
December 2021 |
Camunda Automation Platform Version: 7.16.0-ee Camunda Optimize Version 3.6.0 Whitebox test with focus on (but not limited to) the Camunda Automation Platform web applications and REST API plus Camunda Optimize. |
No critical vulnerabilities were detected. Two lesser vulnerabilities were detected and submitted for treatment to our security issue process. Two issues have been partially fixed, work in progress. |
December 2021 |
Cawemo Whitebox test with focus on (but not limited to) the Cawemo application and the underlying infrastructure. |
No critical vulnerabilities were detected. Seven lesser vulnerabilities were detected and submitted for treatment to our security issue process. Seven issues have been partially fixed, work in progress. |
June 2021 |
Cawemo Whitebox test with focus on (but not limited to) the Cawemo application and the underlying infrastructure. |
No critical vulnerabilities were detected. Five lesser vulnerabilities were detected and submitted for treatment to our security issue process. Five issues have been partially fixed, work in progress. |
March 2021 |
Camunda Platform Version: 7.14.5-ee Camunda Optimize Version 3.3.0 Whitebox test with focus on (but not limited to) Camunda Platform web applications and REST API. |
No critical vulnerabilities were detected. Three lesser vulnerabilities were detected and submitted for treatment to our security issue process. Three issues have been partially fixed, work in progress. |
January 2020 |
Camunda Platform Version: 7.12.1-ee Camunda Optimize Version 2.7.0 Whitebox test with focus on (but not limited to) Camunda Platform web applications and REST API. |
No critical vulnerabilities were detected. Seven lesser vulnerabilities were detected and submitted for treatment to our security issue process. Two issues have been fixed. Five issues have been partially fixed, work in progress. |
January 2019 |
Camunda Platform version: 7.10.1 Whitebox test with focus on (but not limited to) Camunda Platform web applications and REST API. |
No critical vulnerabilities were detected. Five lesser vulnerabilities were detected and submitted for treatment to our security issue process. Two issues have been fixed. Three issues have been partially fixed. |