The Invisible Breach: Business Logic Manipulation and API Exploitation in Credential Stuffing Attacks

This Privacy Policy outlines the steps Radware is taking to protect users' privacy and any individual using the website on their behalf (“users” “you” “your”) and the limitations in doing so.

If you provide Radware with personal information about someone else through the use of our website you must do so only with that person’s express authorization. You must inform them how we collect, use, disclose, and retain personal information related to them in accordance with this Privacy Policy before you provide Radware with such personal information.

The term “personal information” refers to information that identifies an individual or relates to an identifiable individual. For example, personal information related to you is your name, email address, and phone number.

Notice at Collection

Collection of Personal Information

Personal information may be collected in one of three ways: (i) users may submit personal information (such as name, address, email address, telephone number, education, and employment history as part of the candidate CV) while using this website for the purpose of registering and logging into the website, downloading software or information, applying for a job, requesting information and other uses; (ii) when entering a product serial number, the website will be updated with the applicable customer information.

The personal information related to you which is described above consists of the following categories:

• Personal information and identifiers when you sign up to our services through our website or through a separate agreement with us then as part of such registration we will ask you to provide personal information including your name, your email address, and other contact details as required.
• Internet or other electronic network activity information including but not limited to Internet Protocol (IP) address used by your device to connect your device to the Internet and automatically sent by your browser to our services; login details; e-mail address; password; device and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and information regarding your interaction with our website.
• In order for us to consider your application for a position with Radware it will be necessary for us to process certain personal data relating to you. We process personal data in accordance with applicable legislation while considering and balancing the relevant interests of our applicants, ourselves, and other stakeholders.
• Sensitive personal information or special categories of information – we do not collect initially special categories of information or sensitive personal information for the purpose of inferring characteristics about you from such information.
• We process aggregated data that is not personally identifiable data. For example, we use statistical analysis to improve our website and services and share marketing data with our business partners where such information does not identify individuals.

Use of Personal Information

Personal information is not used or provided to any third party except as outlined herein. By logging into our website and/or by providing your personal information, Radware assumes you are interested in obtaining more information about our company, its technology, and our solutions (both products and services) offerings or job opportunities.

Radware may also use personal information related to you to establish statistical data about our web traffic, identify potential cases of abuse of our systems, and prevent cyber-attacks, fraud, and identity theft.

Therefore Radware may use your personal information solely for the purpose of:

1. Providing you with products, services, upgrades, and additional offerings available on our website
2. Providing you with information Radware believes you would be interested in, such as newsletters, product updates, special offers, campaigns, service renewals, and additional promotional materials
3. Answering your questions and inquiries

Radware may also use personal information related to you to enforce our terms, policies, and legal agreements, to comply with court orders and warrants and assist law enforcement agencies to collect debts, prevent fraud, misappropriation, infringements, identity thefts, and any other misuse of our services and to take any action in any legal dispute and proceeding.

If you contact Radware’s customer support, Radware will use the content of your message for the following purposes: addressing your request, improving Radware’s website and services, and legal defense.

Legal Ground for Processing of the Personal Information

Radware will process personal information when it is legally permitted. In some countries, Radware relies on your consent only. In others where there are additional legal grounds to process personal information, Radware will rely on those additional grounds and more than one legal basis will apply to the processing of the same personal information depending on the processing activity.

The following legal grounds apply to the processing of personal information:

• Performance of the Terms and Conditions that govern the use of the website and services.
• Radware’s legitimate interest, for example, to maintain, protect, and improve the website and services, to maintain cyber security, to provide support, to maintain customer relations, to train Radware employees, to facilitate service operations and management, maintaining compliance with internal policies and procedures, monitoring the use of our copyrighted materials.
• Compliance with a legal or contractual obligation.
• Compliance with any legal proceedings.
• Your consent.

Use of Tracking Information

Radware engages third parties to provide Radware with services such as analytics, marketing automation, and customer experience and allow them to collect personal information on our services.

Tracking information is used solely for statistical web performance and analysis with the aim of improving the efficiency and performance of our website. Radware does not provide the tracking information to any third party and do not use it for any purpose other than as stated herein. Radware may use standard technologies such as cookies and other HTML tools to collect information about how you use the website or to record that you opened an email marketing message solely for analysis purposes.

Further details are available in our Cookie Policy at: https://www.radware.com/cookie-policy/

Sharing Personal Information

Radware will share personal information related to you only subject to the terms of this Privacy Policy or subject to your prior consent. Radware does not sell, rent, or lease personal information related to you. Radware will share personal information related to you with certain employees and external consultants as well as with its affiliates who are all governed by this Privacy Policy. In addition, Radware may also share personal information related to you with its business partners. Radware may also provide your contact information to Radware’s affiliates, business partners, or other third parties acting on its behalf in order to (i) provide you with Radware’s products and services or provide joint or bundled solutions; or (ii) provide you with joint offers and complementary information which Radware believes may be of interest to you.

Radware engages the following service providers to support the purpose of processing under this Privacy Policy and as required by applicable laws:

• Operations service providers that for example host and back up content, provide analytics related to the use of the services, authenticate and secure log-ins, log activities, manage our production and development activities, operate our systems, networks, and databases, and enable cyber security and fraud detection and prevention.
• Marketing and Business Development. To deliver our marketing and business development campaigns, we will share information with digital marketing providers, social media and advertising companies, market research partners, webinar hosts, venues, event organizers and registration providers, and other trusted vendors who assist in the performance of our marketing campaigns.
• Communications service providers, for example, we will use a service provider to manage our email messages transmission, engage local authorized partners to provide our services to you in a local language.
• Sales, Finance, Business, and Delivering Service. We use third-party sales tools to track pipeline activity and order information, finance and invoicing tools to assist in managing orders, customer billing and fulfillment, legal and compliance tools to assist in our contracting and compliance activities, consultants, contractors, and other specialists to provide professional services, and other vendors which support our business operations.
• Law enforcement, courts, and other agencies, authorities, and other relevant entities. We will comply with court orders, search warrants, regulatory orders, subpoenas, and provide information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We will also report uploaded content and shared personal information if we have a good-faith belief that the content or the sharing of the content is illegal, abusive, or violates third-party rights.
• Other entities as part of a merger, acquisition, or any other corporate structural change.

Radware engages service providers whose processing can be considered as selling, sharing, or using personal information for targeted advertising, however, Radware does not do such processing. At any time, you can opt-out of the collection of personal information by Radware’s service providers at: DPO@radware.com or datasubjectrights@radware.com or visiting the “notice of right to opt-out of the selling or sharing of personal information” page available at: https://www.radware.com/do-not-sell-or-share.

Radware will need to disclose personal information related to you when it believes to be necessary or appropriate:

• Under applicable law, including laws outside your country of residence.
• To comply with legal process.
• To respond to requests from public and government authorities, including public and government authorities outside your country of residence.
• To enforce the Terms and Conditions.
• To protect Radware’s operations or those of any of its affiliates.
• To protect Radware’s rights, privacy, safety, interests, or property and/or that of its affiliates, you, or others.
• If Radware is involved in any discussions related to the sale of all or part of its business.
• To allow Radware to pursue available remedies or limit the damages that Radware can sustain.

Links to Third-party Sites

This website may contain links to third-party sites. Radware is not responsible for the privacy practices of such sites.

Security of Your Information

We are committed to ensuring the security of personal information. We and our hosting services implement systems, applications, and procedures to secure personal information related to you, to minimize the risks of theft, damage, loss of information, or unauthorized access or use of information. These measures provide sound industry-standard security.

Radware, as a provider of world-class security products, takes the security of your personal information as a top priority. Radware encrypts your information when it is transported or stored. Access is restricted to Radware staff members with a need to know. Radware monitors its technology platforms to protect against unauthorized access to your information. However, please understand that no security system is impenetrable and although we make efforts to protect your privacy, we cannot guarantee that our services will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.

Cross-Border Transfer, Processing, and Storage of Personal Information

Radware stores and processes data, including personal information, either directly or using third parties, such as data hosting service providers in the EU, the U.S., and in other regions to support the website/portal and services. The laws of the territories where personal information will be stored and processed can differ from the laws of the jurisdiction in which you live.

If you are located in the European Economic Area (EEA) or any other country's territory that requires providing an adequate level of protection for such transfer to a third country, note that Radware will transfer personal information related to you to other jurisdictions which are not deemed to provide an adequate level of data protection. In such cases, Radware will use appropriate safeguards, in particular by way of entering into the European Union (EU) Standard Contractual Clauses or such other applicable standard data transfer agreements or such other applicable standard data transfer agreements or such other applicable standard data transfer agreements as amended from time to time with the relevant recipients or by adhering to equivalent data transfer regulations to protect the security and confidentiality of such personal information.

You can obtain a copy of the suitable safeguards that we use when transferring personal information as described above or receive further information about data transfer by contacting: DPO@radware.com or datasubjectrights@radware.com. If you are a resident in a jurisdiction where the transfer of personal information related to you to another jurisdiction requires your consent, then your consent to this Privacy Policy constitutes also consent as required by applicable law to such transfer.

Radware makes sure that its third-party service providers provide it with adequate confidentiality and security commitments and Radware will take all steps reasonably necessary to ensure that personal information related to you is treated securely and in accordance with this Privacy Policy.

Children’s Privacy

Radware is committed to protecting the privacy needs of children and we encourage parents and guardians to take an active role in their children’s online activities and interests. Radware does not knowingly collect information from children under the age of 16 and Radware does not target its website to children under 16. If you are under the age of 16, you do not have authorization or permission to access or use our website and services. For clarity, we do not knowingly collect personal information from children under the age of 16.

Disclosure of Information as Required by Law

Radware may be forced to disclose tracking information or personal information if required to do so by applicable law or by a competent governmental or judicial order to prevent any illegal or harmful activities.

Your Choice

We will give you choices about the ways we use and share personal information related to you and we will respect the choices you make. Where permitted by law, we may send newsletters or promotional communications to users. You can unsubscribe from these communications. For example, with respect to email messages, you will be required to click an “Unsubscribe” link (or similar) in these emails and confirm the email address for which you would like to unsubscribe.

You can request that personal information related to you be deleted by contacting Radware. Subject to the terms herein. When we delete personal information related to you that we have collected from or about you, it will be deleted from our active databases, but we will keep a reasonable number of copies in our archives unless prohibited by law. However, we will continue to retain the personal information related to you for legitimate business purposes as set forth above.

Your request to exercise your rights must provide sufficient information that allows Radware to reasonably verify you are the person about whom Radware collected personal information or an authorized representative and describe your request with sufficient detail that allows Radware to properly understand, evaluate, and respond to it. Upon verification of your request, we will provide you the following:

• You have the right to withdraw your consent for the processing of personal information related to you at any time. Exercising this right will not affect the lawfulness of processing based on consent before its withdrawal.
• To the extent your country provides you deletion or erasure rights – you have the right to request that we delete any personal information related to you.
• To the extent your country provides you with the right of access you may restrict access to personal information related to you.
• If you exercise one of the rights above you can also request to be informed that third parties that hold personal information related to you in accordance with this Privacy Policy will act accordingly.
• To the extent your country provides you with the right of ratification you may ratify and update any inaccurate or outdated personal information related to you that we process or store.
• You can ask to transfer personal information related to you in accordance with your right to data portability in your country.
• You can object to the processing of personal information related to you for direct marketing purposes.
• You have the right not to be subject to a decision based solely on automated processing including profiling which produces legal effects concerning you or similarly significantly affecting you.
• To the extent your country provides you with the following right to be informed about the following based on your country of residency: the categories of personal information we collected about you; the categories of sources for the personal information we collected about you; our business or commercial purpose for collecting that personal information; the categories of personal information that we disclosed for a business purpose and the categories of third parties with whom we disclosed that particular category of personal information; the specific pieces of personal information that we collected about you; and if we disclose personal information related to you for a business purpose we will provide you with a list that will identify the personal information categories that each category of recipient obtained.
• To the extent your country provides you non-discrimination right – you also have a right not to be discriminated against for exercising your rights under applicable privacy laws.
• You have a right to lodge a complaint with a data protection supervisory authority or attorney general as applicable and based on your country of residency.

If Radware needs to delete personal information related to you following your request, it will take some time until we completely delete residual copies of personal information related to you from our active servers and from our backup systems. Note that we are allowed to delete personal information related to you in different manners including by removing any identifying data and transforming personal information that relates to you into anonymized data.

To exercise your rights and described above and as applicable to you based on your country of residency, please submit your request by sending an email message to: DPO@radware.com or datasubjectrights@radware.com. Only you or a person authorized to act on your behalf can make a request related to personal information related to you.

Note that when you send Radware a request to exercise your rights, we will need to reasonably authenticate your identity and location. Radware will ask you to provide us with credentials to make sure that you are who you claim to be and will further ask you some questions to understand the nature and scope of your request. You should fully describe your request with sufficient details that allow Radware to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with the requested personal information if we cannot verify your identity or authority to make the request and confirm the personal information related to you. We will only use the personal information provided in your request to verify your identity or authority to make the request. We will do our best to respond to your request within 30 days of its receipt. If we require more time (up to an additional 30 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically at your option.

Any disclosures we provide will only cover the 12-month period preceding receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for such a decision and provide you with a cost estimate before completing your request.

We will not require that you create an account in order to exercise your rights under this policy and we will not increase the cost or decrease the availability of our services based solely on the fact that you have chosen to exercise one of your rights under applicable privacy laws. After receiving our reply, you can appeal against our decision by contacting Radware. We will review your appeal and provide you with our answer and our explanation of the reasons for our decision(s) within 60 days of receiving it. We will also provide you with a link (to the extent available) where you can submit a complaint to the relevant supervising authority.

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Radware has appointed Rickert Rechtsanwaltsgesellschaft mbH Law Office (EU Representative) as its GDPR Representative in the European Union: name: Rickert Rechtsanwaltsgesellschaft mbH contact details: Colmantstrasse 15 53115 Bonn. You can contact EU Representative regarding matters pertaining to the GDPR by (i) using EU Representative’s postal address; or (ii) writing to EU Representative at art27-rep-radware@rickert.law.

Data Retention

Radware retains different types of personal information related to you for different periods depending on the purposes for processing the information, our legitimate business purposes, and pursuant to legal requirements under applicable law.

Radware keeps your personal information only so long as Radware needs it to provide the products or services you requested, fulfill all the other purposes described in this Policy, and for other essential purposes such as complying with Radware’s legal obligations, resolve disputes, establish legal defenses, conduct audits, maintaining security, detecting and preventing fraud and abuse, enforce our agreements, and comply with all applicable laws. This is also the case for anyone that Radware shares your personal information with and who carries out services on Radware’s behalf. Retention periods can vary based on the type of information and how it is used. Radware’s retention periods are based on criteria that include legally mandated retention periods, pending or potential litigation, our intellectual property or ownership rights, contract requirements, operational directives or needs, and historical archiving. Radware will keep aggregated non-identifiable information without limitation and to the extent reasonable, Radware will delete or de-identify potentially identifiable information when Radware no longer needs to process the information.

When Radware no longer needs to use your personal information and there is no need for Radware to keep it to comply with our legal or regulatory obligations, resolve disputes and enforce our agreements, we’ll either remove it from our systems or depersonalize it so that we can't identify you.

At any time, you can contact our data protection officer at DPO@radware.com regarding any request or question in this matter.

Disclosure of Information as a Result of Reorganization

Radware may also be forced to disclose tracking information or personal information as part of a corporate reorganization, restructuring, or merger activities, to the extent required to consummate such activities.

Amendment of Policy

Radware reserves the right to amend the terms of this Policy from time to time without notice by posting the revised terms on the Website and the revised version will be effective when it is posted. If you object to our Privacy Updates, you can terminate your use of our website. By continuing to use our website or services after the Privacy Updates take effect, you signify your agreement and consent to the Privacy Updates unless applicable law requires Radware otherwise. We can modify, enhance, or improve our website and services and can accordingly offer additional tools and features. Such additional tools and features may be governed by additional or different privacy practices, terms and conditions as provided by Radware where applicable.

Questions

You may contact Radware with any questions regarding our Privacy Policy at DPO@radware.com. Note that Radware can only process requests received with sufficient information to enable Radware to process your request. If Radware needs to request additional information in order to complete your request, Radware will do so.

Last Updated: June 2024.

COPYRIGHT © 2026 Radware Ltd. All Rights Reserved.

The following terms and conditions of use apply to the use of this Website (the "Website"). Read these terms and conditions carefully before using the Website with or without logging in or downloading content from the site. These Terms and Conditions of use and all other legal notices on this website (e.g. specific Terms of Use of password protected zones and Privacy Policy) may change from time to time at the sole discretion of Radware and will become binding immediately upon posting. By accessing or using the Website, you are accepting and agreeing to the terms below and to any changes thereto that may become applicable from to time as indicated above.

Terms Applicable to Specific Content and Areas of the Website. Some areas of the Website or content provided on or through the Website may have additional rules, guidelines, license agreements, user agreements or other terms and conditions that apply to your access or use of that area of the Website or content (including terms and conditions applicable to a corporation or other organization and its users). If there is a conflict or inconsistency between these Terms and Conditions of Use for the Radware website, and the rules, guidelines, license agreement, user agreement or other terms and conditions for a specific area of the Website or for specific content, the latter shall have precedence and control with respect to your access and use of that area of the Website or content.

License. Subject to the terms and conditions herein, RADWARE hereby grants you a limited, nontransferable and nonexclusive license, subject to the restrictions set forth below, to access and use the Website, solely for informational and non-commercial purposes, for internal use and/or for the purpose of using, managing and supporting RADWARE devices (the "RADWARE Devices") owned or controlled by you (the "License"). RADWARE reserves the right to amend the terms of this License from time to time without notice, by posting the revised terms on the Website.

Copying and Reverse Engineering. You agree that you will not: (i) copy, modify, create any derivative work of; or (ii) reverse assemble, decompile, reverse engineer or otherwise attempt to derive source code (or the underlying ideas, algorithms, structure or organization); or (iii) remove any copyright notices, identification or any other proprietary notices from any of the software, copyrighted content and any proprietary information in this Website.

Intellectual Property Rights. You acknowledge and agree that this License is not intended to convey or transfer to you any intellectual property rights or to grant any licenses in or to any technology or intellectual property or content, other than as expressly provided herein. The content contained in this Website, including, but are not limited to, software, product information, technology information, user guides, white papers, analysis, trade names, graphics, designs, icons, audio or video clips and logos, is RADWARE proprietary information, protected by copyright, trademark, patent and/or other intellectual property rights, under US and international law. Third-party trademarks and information are the property of their respective owners.

Disclaimer of Warranty. Although RADWARE attempts to provide accurate and up-to-date information on this Website, RADWARE makes no warranty with respect to the accuracy or completeness of the information on the Website. Information, software and documentation provided on this Website are provided "as is" and without warranty of any kind either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and non-infringement.

Limitation of Liability. RADWARE shall not be liable to you or any other party for any indirect, special, incidental or consequential damages, including, but not limited to, any amounts representing loss of profits, loss of business, loss of information or punitive damages. In any event, the extent of liability shall not exceed the amount of US$20 or, in the event of software purchased by downloading from this Website, limited exclusively to replacement of the software purchased or refund of license fees, if any. The above limitations shall apply to the fullest extent permitted by law.

Links to Third-party Websites. This Website may contain links to third-party Websites. Such links are provided for convenience only and RADWARE makes no warranty, nor does it assume any responsibility or liability in connection with the access and use of any other Website.

Access to Password-protected Zones. This Website includes restricted zones which are password-protected for employees, customers, partners and other registered users. Access to such restricted zones is limited to authorized users only, and unauthorized access may be considered a criminal offence. If you were provided a password, user ID or any other form of authentication by RADWARE (the "Password"), you agree that the Password is considered confidential and proprietary information of RADWARE and may not be disclosed or transferred to any other party. Some downloads require a RADWARE device serial number. The serial number is considered a Password for the purpose of this section. Registering to, trafficking into, or otherwise using password-protected zones to profit in bad faith from the knowledge base made available in such password-protected zones, to gain an unfair business advantage or competition against Radware or for business espionage, are against the law and are strictly prohibited.

Termination of Access and Use. Radware reserves the right to modify, suspend or terminate the Website and/or your use or access to the Website for any or no reason with or without notice at its sole and absolute discretion. Radware will not be liable to you or any third-party for any modification, suspension, or termination of the Website, and/or termination of your use thereof or access thereto.

Privacy. Information submitted by you or collected by us in connection with the use of this Website is subject to our Privacy Policy, the terms of which are incorporated herein by reference.

Export. The information, products or services available on this Website or any part thereof may be subject to export or import controls under the laws and regulations of the United States and/or Israel. You agree to comply with such laws and regulations and agree not to knowingly export, re-export, import or re-import, or transfer products without first obtaining all required government authorizations or licenses.

Governing Law. This Agreement and any action related thereto shall be governed, controlled, interpreted and defined in accordance with the laws of the State of Israel, without regard to the conflicts of laws provisions thereof.

Safe Harbor. This Website may contain forward-looking statements that are subject to risks and uncertainties. Factors that could cause actual results to differ materially from these forward-looking statements include, but are not limited to, general business conditions in the Application Delivery or Network Security industry, and other risks detailed from time to time in RADWARE's filings with the Securities and Exchange Commission, including RADWARE's Form 20-F.

COPYRIGHT © 2026, Radware Ltd. All Rights Reserved.