Hexagon's vulnerability disclosure programme 

Policy

The safety and security of customer data that is managed by Hexagon’s products is an essential supporting component of Hexagon's Vision and Mission. We welcome the external security research community contribution to the security of our Products. If you believe you've found security bugs in our products, we'll gladly work to resolve that issue.

We value the contributions of the security research community and recognize the importance of a coordinated approach to vulnerability disclosure. If you have discovered a security vulnerability, we encourage you to let us know immediately. We welcome the opportunity to work with you to resolve the issue promptly.

Adhering to industry standards is important to us, and our program is covered by Coordinated Vulnerability Disclosure, Safe Harbor, Open Scope and Core Ineligible Findings, and Detailed Platform Standards.

 

Use this link to submit your report.

 

We're constantly seeking to improve. If you have any questions about our security or suggestions on how the Hexagon Vulnerability Disclosure Programme (VDP) could be improved, please write to us ([email protected]).

Products in scope

Security vulnerabilities that are identified in digital properties owned, operated, or controlled by Hexagon AB are considered in scope.

Public disclosure

We believe in transparency about our security, any valid Vulnerabilities / Defects discovered are always reported within the product release documents

Eligibility and responsible disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

• Share the security issue with us in detail;
• Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners is not in the spirit of responsible disclosure;
• Give us reasonable time to respond to the issue before making any information about it public;
• Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Hexagon;
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
• Otherwise, comply with all applicable laws.

Best practice reporting

To ensure your report is as effective as possible and assist the development teams to assess and reproduce the bug, we suggest the following best practice tips for bug reporting.

1. Build a stronger report by including information on the actual and potential impact of the vulnerability, as well as details of how it could be exploited.
2. Include the methodology you used to find the bug, and the steps to reproduce it.
3. Please submit your results only after you’ve ensured that your bug is verified.
4. Submissions in English is preferred however please submit the report in your native language if you cannot submit it in English to sufficient detail.

Out-of-scope vulnerabilities

The following issues are outside the scope of the VDP:

• Password, email and account policies, such as email id verification, reset link expiration, and password complexity.
• Research requiring physical access to our products.
• Missing security headers which do not lead directly to a vulnerability.
• Use of a known-vulnerable library (without evidence of exploitability.
• Reports from automated tools or scans.
• Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tap or click jacking).
• Presence of autocomplete attributes on web forms.
• Any report that discusses how you can learn whether a given username or email address has a Hexagon account.
• Any access to data where the targeted user needs to be operating a rooted mobile device.
• Any report about dynamic link library (DLL) hijacking without demonstrating how it gains new privileges.
• Absence of rate limiting, unless related to authentication.
• Devices (ios, android, desktop apps) not getting unlinked on password change.

Consequences of complying with this policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorised” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a Digital Millennium Copyright Act (DMCA) claim against you for circumventing the technological measures we have used to protect the applications in scope.

If your report addresses a vulnerability of Hexagon business partner, Hexagon reserves the right to share your submission in its entirety, including your identity, with the business partner to help facilitate testing and resolution of the reported vulnerability. If legal action is initiated by a third party against you and you have complied with Hexagon’s VDP, Hexagon will take steps to make it known that your actions were conducted in compliance with this policy.

Hexagon may choose, at its sole discretion, to provide you with complimentary access to Hexagon’s products. This access is solely for the purposes of enabling your testing and may be revoked at any time with or without advanced notice.

Hexagon does not currently operate a Bug Bounty award scheme. All notifications made to Hexagon under the Vulnerability Disclosure Program are made in good faith and in the best interests of the wider community.