Vulnerability Management

Vulnerability Disclosure and Bug Bounty Programs

Built on trust, transparency, and collaboration

At Genetec, we are committed to maintaining the highest standards of security.

We operate both a Vulnerability Disclosure Program (VDP) and a private Bug Bounty program to encourage the responsible reporting of security vulnerabilities. Both programs are designed to foster a collaborative approach to security, ensuring that our users' data and privacy are protected.

  • Vulnerability Disclosure Program (VDP): This program is open to the public and allows security researchers to report vulnerabilities they discover in our systems and applications. We appreciate your efforts in helping us improve our security posture. Note that no rewards are offered.
  • Private Bug Bounty Program: In addition to our VDP, we run a private Bug Bounty program where selected researchers are invited to test our assets and are rewarded for valid vulnerability reports. This program is by invitation only.

Legal safe harbor

We consider activities that adhere to this program as authorized and will not pursue legal action against you for responsibly disclosing vulnerabilities. Should a third party initiate legal action against you, and provided you have complied with this program, we will take appropriate steps to inform the relevant authorities that your actions were conducted in accordance with our guidelines.

Scope of the Vulnerability Disclosure Program

Vulnerabilities affecting the products that are maintained as per our product lifecycle will be investigated and worked on by our team. In addition to the products, the following domains are also presently in this scope:

  • *.clearance.network
  • *.clearid.io
  • *.genetec.cloud
  • *.genetec.com
  • login.genetec.com
  • *.genetec.one
  • *.geneteccloud.com
  • *.q2c.eu
  • *.autovu.com
  • *.curbsense.com
  • *.autovu.cloud
  • *.ops.center

Which vulnerabilities can you report in the Vulnerability Disclosure Program?

Qualifying vulnerabilities

  • Authentication flaws
  • Circumvention of our platform/privacy permission models
  • Elevation of privileges
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Remote code execution
  • SQL Injection
  • Local file inclusion
  • Insecure direct object reference
  • Server-side request forgery
     

Out-of-scope vulnerabilities

  • Vulnerabilities that rely on social engineering (this includes phishing attacks against Genetec employees)
  • Denial of Service Attacks (DOS)
  • Physical attempts against Genetec property or data centers
  • Attack that assumes admin control of a service machine
  • Missing best practices with no demonstrable security impact (i.e. missing HTTP headers, SSL/TLS configuration, etc.)
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Sending blind XSS by email or spamming Genetec employees
  • Vulnerable third party packages without proof of concept (ex. jQuery) 
  • Missing DNS CAA record

Disclosing your vulnerability

Once we receive your vulnerability submission, the Genetec Product Security Incident Response Team (PSIRT) will analyze and triage the submission. You should receive an email acknowledging your reported issue within two business days. Our team might reach out to you during the remediation process to establish the Common Vulnerability Scoring System (CVSS) score and confirm that the solution has been successfully applied.

If applicable, a common vulnerabilities and exposures identity (CVE ID) will be issued. The public disclosure of the vulnerability will be done via release note and/or security advisory for the affected products.

Please refrain from publicly disclosing any information before a coordinated disclosure.

Vulnerability Management

Found a security vulnerability?

Let us know and we'll get right on it

What you need to know

Report requirements

Here's a list of the information we require to investigate your report:

  • List the URL and any affected parameters
  • Description of the browser, OS, and/or app version
  • Description of the perceived impact (explain how the vulnerability could be exploited)
  • Detailed steps on reproducing the bug (if applicable, please include any screenshots, links you clicked on, pages visited, videos, etc.)

Reward eligibility

Here’s how to qualify for a reward under our bug bounty program:

  • Be the first to report an unknown vulnerability
  • Send a clear textual description of the report along with steps to reproduce the vulnerability
  • Include attachments such as screenshots or proof of concept code as necessary
  • Disclose the vulnerability report directly and exclusively to us
  • Current Genetec employees are not eligible to receive bounty rewards

Transparency is key to our business

Browse all of our security advisories

Report a bug

Found a security vulnerability affecting Genetec products?