Vulnerability Management

Bug Bounty Program

The Genetec security vulnerability management program

 Important announcement

Transition to private Bug Bounty program

We are excited to announce that we are transitioning our public Bug Bounty program to a private, invitation-only program. This change will allow us to focus our efforts and resources on collaborating with a select group of trusted security researchers.

Effective date

Please note that as of May 26th, we will close our public Bug Bounty program.
You can still report findings through our Vulnerability Disclosure Program (VDP), but no reward will be given. We thank you for your understanding and continued support. Together, we can ensure the security and privacy of our users.

Built on trust, transparency, and collaboration

Think you might have discovered a security vulnerability in one of our products? Then you’ve come to the right place. Our dedicated team is ready to work with you to resolve it as quickly as possible.

Scope of the program

Vulnerabilities affecting the products that are maintained as per our product lifecycle will be investigated and worked on by our team. In addition to the products, the following domains are also presently in this scope:

  • *.clearance.network
  • *.clearid.io
  • *.genetec.cloud
  • *.genetec.com
  • login.genetec.com
  • *.genetec.one
  • *.geneteccloud.com
  • *.q2c.eu
  • *.autovu.com
  • *.curbsense.com
  • *.autovu.cloud

Which vulnerabilities can you report?

Qualifying vulnerabilities

  • Authentication flaws
  • Circumvention of our platform/privacy permission models
  • Elevation of privileges
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Remote code execution
  • SQL Injection
  • Local file inclusion
  • Insecure direct object reference
  • Server-side request forgery
     

Out-of-scope vulnerabilities

  • Vulnerabilities that rely on social engineering (this includes phishing attacks against Genetec employees)
  • Denial of Service Attacks (DOS)
  • Physical attempts against Genetec property or data centers
  • Attack that assumes admin control of a service machine
  • Missing best practices with no demonstrable security impact (i.e. missing HTTP headers, SSL/TLS configuration, etc.)
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Sending blind XSS by email or spamming Genetec employees
  • Vulnerable third party packages without proof of concept (ex. jQuery) 
  • Missing DNS CAA record

Disclosing your vulnerability

Once we receive your vulnerability submission, the Genetec Product Security Incident Response Team (PSIRT) will analyze and triage the submission. You should receive an email acknowledging your reported issue within two business days. Our team might reach out to you during the remediation process to establish the Common Vulnerability Scoring System (CVSS) score and confirm that the solution has been successfully applied.

If applicable, a common vulnerabilities and exposures identity (CVE ID) will be issued. The public disclosure of the vulnerability will be done via release note and/or security advisory for the affected products.

Please refrain from publicly disclosing any information before a coordinated disclosure.

Vulnerability Management

Found a security vulnerability?

Let us know and we'll get right on it

What you need to know

Report requirements

Here's a list of the information we require to investigate your report:

  • List the URL and any affected parameters
  • Description of the browser, OS, and/or app version
  • Description of the perceived impact (explain how the vulnerability could be exploited)
  • Detailed steps on reproducing the bug (if applicable, please include any screenshots, links you clicked on, pages visited, videos, etc.)

Reward eligibility

Here’s how to qualify for a reward under our bug bounty program:

  • Be the first to report an unknown vulnerability
  • Send a clear textual description of the report along with steps to reproduce the vulnerability
  • Include attachments such as screenshots or proof of concept code as necessary
  • Disclose the vulnerability report directly and exclusively to us
  • Current Genetec employees are not eligible to receive bounty rewards

Rewards

Each vulnerability that gets reported is evaluated to determine its reward level. The following bounty payout ranges list the maximum pay for these categories of issues. This is meant to serve as a guide describing how reported issues are rewarded based on their impact. 
All figures are in Canadian dollars (CAD).

Critical

The following vulnerabilities are considered critical issues and can provide a reward up to $5000 CAD.

  • Remote code execution on a server
  • Full account takeover without interaction
  • Getting read or write access to private source code
  • Server-side request forgery (SSRF) exploitation leading to critical impact
  • Vulnerabilities leading to the compromise of a user’s account (with a way to bypass two-factor)
  • Bugs bypassing authentication mechanisms
  • Exposure of highly sensitive information

 

Transparency is key to our business

Browse all of our security advisories

Report a bug

Found a security vulnerability affecting Genetec products?

Partners
Company
Resources
Products
Connect with us
© 1997-2025 Genetec Inc. All rights reserved.
Privacy policy | Terms of use | Legal | Secure communications | Corporate social responsibility | Cookie & email preferences | Your privacy choices