Testing for security vulnerabilities:
Whenever a Trial or Developer Edition is available, please conduct all vulnerability testing against such instances. Always use test or demo accounts when testing our online services.
For information about security assessments, requirements, restrictions, and scheduling, review the knowledge article titled "Vulnerability Assessment and Penetration Test".
Reporting a potential security vulnerability:
Salesforce does not permit the following types of security research:
The Salesforce security team commitment:
We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Salesforce security team and associated development organizations will use reasonable efforts to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Provide an estimated time frame for addressing the vulnerability report
- Notify you when the vulnerability has been fixed
We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Salesforce.