Vulnerability Disclosure and Bug Bounty Programs
Committed to maintaining the highest standards of security
We operate both a Vulnerability Disclosure Program (VDP) and Bug Bounty programs to encourage the responsible reporting of security vulnerabilities. These programs are designed to foster a collaborative approach to security, ensuring that our users' data and privacy are protected.
- Vulnerability Disclosure Program (VDP): This program is open to the public and allows security researchers to report vulnerabilities they discover in our systems and applications. We appreciate your efforts in helping us improve our security posture. Note that no rewards are offered.
- Private Bug Bounty program: In addition to our VDP, we run a private Bug Bounty program where selected researchers are invited to test our assets and are rewarded for valid vulnerability reports. This program is by invitation only.
- Public Bug Bounty program: Our public Bug Bounty program remains open. However, we are currently transitioning away from the program to focus our efforts and resources on collaborating with a select group of trusted security researchers.
Legal safe harbor
We consider activities that adhere to this program as authorized and will not pursue legal action against you for responsibly disclosing vulnerabilities. Should a third party initiate legal action against you, and provided you have complied with this program, we will take appropriate steps to inform the relevant authorities that your actions were conducted in accordance with our guidelines.
Scope of the Vulnerability Disclosure Program
Vulnerabilities affecting the products that are maintained as per our product lifecycle will be investigated and worked on by our team. In addition to the products, the following domains are also presently in this scope:
- *.clearance.network
- *.clearid.io
- *.genetec.cloud
- *.genetec.com
- login.genetec.com
- *.genetec.one
- *.geneteccloud.com
- *.q2c.eu
- *.autovu.com
- *.curbsense.com
- *.autovu.cloud
- *.ops.center
Which vulnerabilities can you report in the Vulnerability Disclosure Program?
Qualifying vulnerabilities
- Authentication flaws
- Circumvention of our platform/privacy permission models
- Elevation of privileges
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Remote code execution
- SQL Injection
- Local file inclusion
- Insecure direct object reference
- Server-side request forgery
Out-of-scope vulnerabilities
- Vulnerabilities that rely on social engineering (this includes phishing attacks against Genetec employees)
- Denial of Service Attacks (DOS)
- Physical attempts against Genetec property or data centers
- Attack that assumes admin control of a service machine
- Missing best practices with no demonstrable security impact (i.e. missing HTTP headers, SSL/TLS configuration, etc.)
- Insecure cookies for non-sensitive cookies or 3rd party cookies
- Sending blind XSS by email or spamming Genetec employees
- Vulnerable third party packages without proof of concept (ex. jQuery)
- Missing DNS CAA record