OutSystems CSIRT

This document introduces the OutSystems Computer Security Incident Response Team (CSIRT) and outlines its scope. It provides an overview of the team's role and responsibilities, while not focusing on the specific features of any particular OutSystems product or service.

1.1 • Date of Last Update
This is version 1.1 and was last updated on 28 Oct 2024.

1.2 • Distribution List for Notifications
There is no distribution channel to notify changes on this document.

1.3 • Document Location
The current version of this document is on www.outsystems.com/low-code-platform/security/csirt/. Make sure that you are using the latest version of this document.

1.4 • Authentication of This Document
A digitally signed version is available at the end of this document. The signature was produced using the OutSystems CSIRT PGP key.
Our public key can be downloaded from section 2.7.

2.1 • Name of the Team
Full name: OutSystems Computer Security Incident Response Team
Short name: OutSystems CSIRT.

2.2 • Address
Rua Central Park 2, 2A
2795-242 Linda-a-Velha
Portugal

2.3 • Time Zone
24x7

2.4 • Telephone Number
Regular and emergency contact: +351 308 808 222, +351 800 780 555

2.5 • Other Telecommunication
Not applicable

2.6 • Email Address
For general customer inquiries and reporting Security Incidents, the preferred method to contact us is the OutSystems Support Portal.

2.7 • Public Keys and Other Encryption Information
Encrypt any sensitive email with the OutSystems PGP Key.
Key size: 4096
Key validity: 24 Oct 2025
Key fingerprint: 1C25 DBBB 1BF8 ECC3 CD75 D8CA 1BAE A457 224A 6C74
Link to Public Key

2.8 • Team Members
No public information is provided about OutSystems CSIRT members.

2.9 • Other Information:
More information about OutSystems CSIRT is available on the OutSystems Trust page.

2.10 • Points of Customer Contact
For general customer inquiries and reporting Security Incidents, the preferred method to contact us is the OutSystems Support Portal.

3.1 • Mission Statement
The OutSystems Computer Security Incident Response Team (OutSystems CSIRT) is the OutSystems cyber investigation and forensics team. It provides security response services to protect OutSystems from cyber attacks and the loss of its intellectual assets.

The primary mission of OutSystems CSIRT is to help ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents, and to contribute to the prevention of such incidents by engaging in proactive threat assessment, mitigation planning, incident trend analysis, security architecture review, and vulnerability management.

3.2 • Constituency
OutSystems CSIRT is responsible for handling security incidents related to company employees, company assets, and all OutSystems domains, namely:

• outsystems.com
• outsystems.net
• outsystemscloud.com
• outsystemsenterprise.com
• outsystems.app
• outsystems.dev

as it relates to the OutSystems Platform and following the OutSystems Cloud Shared Responsibility Model where applicable.

3.3 • Sponsorship and Affiliation
OutSystems CSIRT consists of a group of engineers, analysts, and business partners who serve all of OutSystems and act under the authority of the Chief Information Security Officer to protect OutSystems assets.

3.4 • Authority
OutSystems CSIRT coordinates, investigates, and remediates security incidents at the direction of the Chief Information Security Officer.

4.1 • Types of Incident and Levels of Support
The level of support provided by the OutSystems CSIRT Team will vary depending on the type and severity of the incident or issue, the type of constituent, the affected scope, and OutSystems CSIRT resources. Resources will be assigned according to the following priorities:

• Threats to the physical safety of human beings.
• Denial of service attacks on OutSystems Platform infrastructures, support systems, or corporate assets.
• Root or system-level attacks on OutSystems Platform infrastructures, support systems, or corporate assets.
• Compromise of restricted confidential service accounts or software installations on any of OutSystems infrastructures or OutSystems support system.
• Any threats, attacks, or compromises at other sites that originate from the OutSystems network Threats, harassment, and other criminal offenses involving OutSystems’ user accounts.
• Compromise of OutSystems assets or Employee end-user devices.
• Forgery, misrepresentation, and other security-related violations of local regulations.

If required, OutSystems CSIRT will also provide support in the form of analysis, documentation, and intervention (if needed) of any vulnerability found or reported that affects OutSystems. Incident types not specified here will be prioritized according to their apparent severity, impact, and extent.

4.2 • Cooperation, Interaction and Disclosure of Information
All received information is handled as confidential, regardless of its priority.

When reporting incidents that have sensitive information, be explicit (for example, by using the label SENSITIVE) and, if possible, encrypt it using the OutSystems CSIRT PGP Key, available from the link in section 2.7 of this document.

Although there are legal and ethical restrictions on the flow of information from OutSystems CSIRT, some of which are specified in OutSystems policies, all reports will be respected; OutSystems CSIRT acknowledges its indebtedness to and declares its intention to contribute to the spirit of cooperation that created the Internet. Therefore, though appropriate measures will be taken to protect the identity of members of our constituency and members of involved third parties where necessary, OutSystems CSIRT will otherwise share information freely when this will help others resolve or prevent security incidents.

Information will be released based on the following considerations:

• Private user information is considered confidential Information and, as such, will not be released unless disguised or otherwise hidden.
• Intruder information is similar to private user information, and the same rules apply.
• Information that concerns third-party systems, sites, or other technological assets will not be released without the permission of the affected third party.
• Technical information about vulnerabilities and attacks that affect third-party vendors, including fixes and workarounds, will be released freely after contacting the affected third parties and after allowing sufficient time for the implementation of patches or fixes.
• Vulnerability information about OutSystems is considered technical information about vulnerabilities or attacks. This information will be divulged freely after proper mitigation, patches, and/or hotfixes are available for deployment.

OutSystems CSIRT will only share the necessary information with involved parties or publicly as required to resolve or prevent security incidents.

4.3 • Communication and Authentication
Unencrypted email will not be considered secure, but will be sufficient for transmitting low-sensitivity data. Sensitive data sent by email must be encrypted by the OutSystems CSIRT PGP key.

Online ticketing tools will be considered sufficient for transmitting sensitive information if proper user access segregation is implemented.

Network file transfers will be considered to be similar to email: sensitive data must be encrypted for transmission.

When establishing trust is necessary, the identity of the other party will be ascertained to a reasonable degree of trust. Appropriate methods will be used, such as a search of FIRST members, the use of WHOIS, and other Internet registration information, along with telephone call-back or email mail-back to ensure that the party is not an impostor. The incoming email with data that must be trusted will be checked with the originator or employing digital signatures.

5.1 • Incident Response
OutSystems CSIRT will assist with the technical and organizational aspects of security incidents as it relates to OutSystems’ assets. In particular, it will provide assistance or advice for the following aspects of incident management.

5.1.1 • Incident Triage

• Investigate escalated security incidents to confirm and assess their impact, and determine the security incident severity.
• Analyze and review the extent of a security incident, to help determine its severity in accordance with internal incident response playbooks.

5.1.2 • Incident Coordination

• Determining the root cause of the incident
• Facilitating contact with related third parties
• Facilitating contact with OutSystems Security, law enforcement officials, or both if necessary
• Creating announcements to users and customers when applicable.

5.1.3 • Incident Resolution

• Following the process of removing or mitigating a security incident and checking its effectiveness
• Collecting and storing evidence when criminal prosecution (with supervision from law enforcement agencies) or disciplinary action is being contemplated

5.2 • Proactive Activities
OutSystems CSIRT maintains the following services to the extent made possible by its resources:

• List of departmental security contacts (administrative and technical). These will be available for OutSystems employees and partners.
• Repository of security tools and corresponding documentation.
• Clipping service relating to security vulnerabilities and cyber attacks. This information will be made available to OutSystems employees and partners via approved communication channels.
• Security level assignments include producing new security tools, performing internal audits (penetration tests, vulnerability scans, etc.), reviewing security architectures and network designs, etc.
• Documenting security incidents, analysis, and resolutions.

Although every precaution will be taken in the preparation of information, modifications, and alerts, OutSystems assumes no responsibility for errors, omissions, or damages resulting from the use of the information contained within.

• Link to the PGP signed message