The purpose of this document is to communicate the Accenture Products & Platforms (APP) organization’s policy with regards to the distribution of security vulnerability patches for APP software products. This document will communicate APP's processes and requirements for handling known security vulnerabilities, subsequent patching of such security vulnerabilities and the scope of support for security vulnerabilities. The policy will be adaptive to the needs of the marketplace and may be updated periodically as applicable. Accenture clients are ultimately responsible for applying any security vulnerability patches that are made available by Accenture for its supported software and for ensuring that they implement their own secure processes and standard industry practices related to the overall security of their IT environment where Accenture licensed software products are installed.

Introduction

Accenture licenses and supports APP software products pursuant to Accenture standard license terms and conditions. This security policy is incorporated into Accenture’s standard license terms and conditions and clients are expected to adhere to this policy to receive the security patches from Accenture covered by this policy.

All APP software products are designed to comply with the security vulnerability patch outlines in this document prior to being made Generally Available (“GA”) to our licensed and supported clients. There may be instances where Accenture or those clients identify a new security vulnerability after a product was made Generally Available. When such security vulnerability is identified and reproduced by Accenture, Accenture will make commercially reasonable efforts to develop a remediation plan to remediate such security vulnerability and publish security patches for the current release of the product and where applicable, to prior supported releases of the product as described in the next section:

APP security scope, approach, remediation & communication

Accenture will provide security vulnerability patches for a specific release of an APP software product for three years from the GA date of the specific release (“Supported Software”) given such release is in active use by our clients. Security vulnerability patches will be provided for Supported Software only.
Accenture will not make available any security vulnerability patches for software product releases outside of the time frames noted above. Clients covered by Accenture maintenance and support have the option to upgrade to a newer release (preferred option) to receive Supported Software and security vulnerability patching support. If a client chooses to remain on unsupported software, they may reach out to Accenture to discuss options regarding custom security vulnerability remediation.

Accenture’s security patching standard approach
Accenture conducts industry standard security assessments for its standard software product releases. Security vulnerability patches are released to address known security vulnerabilities identified through this security assessment for the current release of the software product. Accenture will also assess if the security vulnerability applies to any other Supported Software and if applicable, will releases patches for such Supported Software.

Potential security vulnerabilities reported by clients
Accenture will also facilitate the reporting of potential security vulnerabilities from its licensed clients who are active maintenance clients. Using the Accenture Service Desk, clients can log an Error Ticket and identify it as a potential security vulnerability. When the potential security vulnerability can be reproduced by Accenture, then Accenture will determine the severity of the security vulnerability and prioritization for remediation.

Accenture will make commercially reasonable efforts to develop a remediation plan to remediate known security vulnerabilities. Accenture will also determine the method of distribution of the security vulnerability patches. Priority will be given to deliver patches for known critical vulnerabilities.
Accenture's clients will be responsible for applying such patches to the supported version of the software that the client is currently using. Accenture is not responsible for the implementation of the security patch in the client environment. Clients requiring assistance should contact their account team for further information on ad-hoc customized support.

For software products covered by this policy, Accenture will incorporate a security bulletin into the product release notes that identifies a list of security vulnerabilities remediated within each release, accompanied by any additional instructions to apply those security vulnerability patches as applicable.

Subscription Center
Stay in the know with our newsletter Stay in the know with our newsletter