As a global technology leader, Barco is committed to delivering secure solutions, products and services.
We are constantly working on improving our security processes, therefore, we encourage security researchers to responsibly report security vulnerabilities and security incidents.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our products and our systems.
We encourage all researchers to follow the following guidelines (responsible disclosure).
Please do the following:
- For Barco customers: Log one finding per Support Ticket via www.barco.com/en/support.
Others: E-mail one finding per mail to firstname.lastname@example.org (Barco's product security incident response team);
- Encrypt your communication using our PGP key (see below) to prevent this critical information from falling into the wrong hands;
- Do not take advantage of the vulnerability or problem you have discovered; for example:
- Do not download more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data, (e.g. if a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), personal data, credit card data, or proprietary information)
- Avoid violating the privacy of others, disrupting our systems, destroying data and/or harming user experience
- Do not share any vulnerability details with third parties without requesting and receiving explicit permission from the Barco’s Product Security Incident Response Team (Discretionary Disclosure);
- Do request explicit permission to test physical systems which you do not own or applications of third parties;
- Do not use social engineering, (distributed) denial of service or spam;
- Do provide sufficient information to reproduce the problem, in English, so we will be able to resolve it as quickly as possible;
- Depending on the system, a URL or the model name and firmware version of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation; and
- Do not engage in extortion.
What we promise:
- We aim to respond to your report within 3 business days (excluding holidays);
- We aim to provide an evaluation of the report and a resolution forecast, within 10 business days (excluding holidays);
- If you have followed the instructions above, we will not take any legal action against you with regard to the report;
- We will handle your report with strict confidentiality, and will not pass on your personal data to third parties without your permission;
- We will keep you informed of the progress towards resolving the problem;
- We will evaluate a possible bounty. Decision of a possible bounty is fully at Barco's discretion;
- Currently we are not paying for the report of security vulnerabilities, we believe in responsible disclosure. However, in exceptional cases and depending on the issue and fully at Barco's discretion, we might overrule this and offer you a bounty.
- We can use your name as discoverer of the vulnerability in public communication (e.g. release notes), unless you desire otherwise;
- We strive to resolve all problems as quickly as possible.
22 Mar 2019 v1.0 - based upon https://www.responsibledisclosure.nl/en/ (Creative Commons Attribution 3.0 Unported license) and https://disclose.io/ (Creative Commons Attribution 4.0 International License)
05 Apr 2019 v1.1 - Clarification about possible bounties
27 May 2019 v1.2 - Request for one finding per mail - clarification about 'business days'
8 July 2021 v1.3 - Guide Barco customers to log a support ticket instead of using email@example.com
PGP PUBLIC KEY BLOCK