Most SAP customers know that every second Tuesday in a month SAP releases new security patches. But only a few know where these patches come from and what that means.
Well, certainly the patches themselves come from SAP. But who detects the vulnerabilities they patch?
It seems like a great achievement by SAP to publish patches for (critical) security risks on a monthly basis, making customer systems more secure. However, looking closer at SAP Patch Day actually brings to light certain deficits in SAP’s security process.
SAP performs a huge amount of development and has several highly skilled teams that are engaged in analyzing new and old solutions for potential security defects.
As an additional layer of security, SAP performs automated code analysis and even maintains its own tools to assess the (security) quality of ABAP solutions.
As a third layer of defense, SAP also hires various external security companies and experts to perform security audits of its solutions.
These are all good measures. And most SAP customers believe that’s where the monthly security notes come from. However, this is not the whole story.
We took a closer look at the security notes released between August 2018 and July 2025, a period spanning 84 months / seven years. Almost all of the security notes indicate whether the underlying vulnerability was detected by SAP or external researchers / security companies. And most of the security notes are rated by a CVSS score.
Before we delve into the statistics, however, please bear in mind the famous phrase popularised by Mark Twain: „There are lies, damned lies, and statistics“. Just as a disclaimer that „insights“ based on statistics should always be handled with caution. However, we’ll try our best.
Analyzing the data from these 84 months reveals the following statistics, which are quite notable.
In total, there are 1286 Security notes. That’s an average of around 15 per month. Of these, 1268 indicate the origin of the patched vulnerability, i.e. whether the underlying vulnerability was detected by SAP's internal procedures or by external parties. This blog post focuses on the 1268 attributable patches. Based on this attribution, 341 security notes were detected by SAP (26,5%), while 927 (72,1%) were detected by external parties.
The first insight is therefore that the vast majority of SAP vulnerabilities are not discovered through SAP’s three-layered defense process, but by independent experts who - usually - don’t even get paid for their efforts. In other words, more than 72% of SAP security notes address vulnerabilities that SAP’s security test teams did not discover, that SAP’s automated code security tools did not discover and that the contracted external testing companies did not discover.
This means that external / independent SAP security researchers provide a substantial contribution to the security of the 480.000+ SAP customers across the globe.
July 2025 is a remarkable statistical outlier: There were 29 (attributable) security notes, all of which addressed vulnerabilities reported by external parties.
However, focusing solely on the number of vulnerabilities could create an inaccurate picture. Theoretically the vulnerabilities reported by external parties might be of low risk and therefore not be addressed internally by SAP’s security procedures.
Taking criticality into account - based on the CVSS rating associated with the security notes - we can see that 113 out of 137 security notes with a CVSS score of 9.0 or higher were reported by external researchers. That’s about 82.5 %, meaning that the value of external research to SAP customers is even greater than assumed a few lines above.
Taking it one step further, we only consider security notes with a CVSS score of 10.0, i.e. extremely dangerous vulnerabilities that could easily destroy an SAP system. In this case we see that 28 out of 31 security notes are based on external research. That’s more than 90%.
This brings us back to our headline: Who’s really keeping your ERP secure?