Built on trust, transparency, and collaboration
At Genetec, we are committed to maintaining the highest standards of security.
We operate both a Vulnerability Disclosure Program (VDP) and a private Bug Bounty program to encourage the responsible reporting of security vulnerabilities. Both programs are designed to foster a collaborative approach to security, ensuring that our users' data and privacy are protected.
- Vulnerability Disclosure Program (VDP): This program is open to the public and allows security researchers to report vulnerabilities they discover in our systems and applications. We appreciate your efforts in helping us improve our security posture. Note that no rewards are offered.
- Private Bug Bounty Program: In addition to our VDP, we run a private Bug Bounty program where selected researchers are invited to test our assets and are rewarded for valid vulnerability reports. This program is by invitation only.


Legal safe harbor
We consider activities that adhere to this program as authorized and will not pursue legal action against you for responsibly disclosing vulnerabilities. Should a third party initiate legal action against you, and provided you have complied with this program, we will take appropriate steps to inform the relevant authorities that your actions were conducted in accordance with our guidelines.
Scope of the Vulnerability Disclosure Program
Vulnerabilities affecting the products that are maintained as per our product lifecycle will be investigated and worked on by our team. In addition to the products, the following domains are also presently in this scope:
- *.clearance.network
- *.clearid.io
- *.genetec.cloud
- *.genetec.com
- login.genetec.com
- *.genetec.one
- *.geneteccloud.com
- *.q2c.eu
- *.autovu.com
- *.curbsense.com
- *.autovu.cloud
- *.ops.center
Which vulnerabilities can you report in the Vulnerability Disclosure Program?
Qualifying vulnerabilities
- Authentication flaws
- Circumvention of our platform/privacy permission models
- Elevation of privileges
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Remote code execution
- SQL Injection
- Local file inclusion
- Insecure direct object reference
- Server-side request forgery
Out-of-scope vulnerabilities
- Vulnerabilities that rely on social engineering (this includes phishing attacks against Genetec employees)
- Denial of Service Attacks (DOS)
- Physical attempts against Genetec property or data centers
- Attack that assumes admin control of a service machine
- Missing best practices with no demonstrable security impact (i.e. missing HTTP headers, SSL/TLS configuration, etc.)
- Insecure cookies for non-sensitive cookies or 3rd party cookies
- Sending blind XSS by email or spamming Genetec employees
- Vulnerable third party packages without proof of concept (ex. jQuery)
- Missing DNS CAA record