Hexagon's vulnerability disclosure programme

Policy  

The safety and security of customer data that is managed by Hexagon’s products is an essential supporting component of Hexagon's Vision and Mission. We welcome the external security research community contribution to the security of our Products. If you believe you've found a security bugs in our products, we'll gladly work to resolve that issue.

We're constantly seeking to improve. If you have any questions on our security or suggestions on how the Hexagon Vulnerability Disclosure Programme (VDP) could be improved, please write to us (information.security@hexagon.com).

Products in scope

Products chosen by Hexagon’s product teams will be in scope. These products will be listed in the product selection list of the reporting form. Products not listed are excluded from the VDP. Products not specifically listed can still receive vulnerability reports using the General category from the product list. Reports will be assessed although will be assessed on a Reasonable Endeavours basis.

Public disclosure

We believe in transparency about our security, any valid Vulnerabilities / Defects discovered are always reported within the product release documents

Eligibility and responsible disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

  • Share the security issue with us in detail;
  • Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners is not in the spirit of responsible disclosure;
  • Give us reasonable time to respond to the issue before making any information about it public;
  • Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Hexagon;
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
  • Otherwise comply with all applicable laws.

Best practice reporting

To ensure your report is as effective as possible and assist the development teams assess and reproduce the bug, we suggest the following best practice tips for bug reporting.

  1. Build a stronger report by including information on the actual and potential impact of the vulnerability, as well as details of how it could be exploited.
  2. Include the methodology you used to find the bug, and the steps to reproduce it.
  3. Please submit your results only after you’ve ensured that your bug is verified.
  4. Submissions in English is preferred however please submit the report in your native language if you cannot submit it in English to sufficient detail.

Out-of-scope vulnerabilities

The following issues are outside the scope of the VDP:

  • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
  • Research requiring physical access to our products.
  • Missing security headers which do not lead directly to a vulnerability.
  • Missing best practices (we require evidence of a security vulnerability).
  • Use of a known-vulnerable library (without evidence of exploitability).
  • Reports from automated tools or scans.
  • Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tap or click jacking).
  • Vulnerabilities affecting users of unsupported browsers or platforms.
  • Social engineering of Hexagon’s employees or contractors.
  • Any physical attempts against Hexagon property or data centers.
  • Presence of autocomplete attribute on web forms.
  • Missing cookie flags on non-sensitive cookies.
  • Any report that discusses how you can learn whether a given username, email address has a Hexagon account.
  • Any access to data where the targeted user needs to be operating a rooted mobile device.
  • Any report about dynamic link library (DLL) hijacking without demonstrating how it gains new privileges.
  • Absence of rate limiting, unless related to authentication.
  • Devices (ios, android, desktop apps) not getting unlinked on password change.

Consequences of complying with this policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorised” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a Digital Millennium Copyright Act (DMCA) claim against you for circumventing the technological measures we have used to protect the applications in scope.

If your report addresses a vulnerability of Hexagon business partner, Hexagon reserves the right to share your submission in its entirety, including your identity, with the business partner to help facilitate testing and resolution of the reported vulnerability. If legal action is initiated by a third party against you and you have complied with Hexagon’s VDP, Hexagon will take steps to make it known that your actions were conducted in compliance with this policy.

Hexagon may choose, at its sole discretion, to provide you with complimentary access to Hexagon’s products. This access is solely for the purposes of enabling your testing and may be revoked at any time with or without advanced notice.

Hexagon does not currently operate a Bug Bounty award scheme. All notifications made to Hexagon under the Vulnerability Disclosure Programme are made in good faith and in the best interests of the wider community.