Report a Security Vulnerability / Incident

As a global technology leader, Barco is committed to delivering secure solutions, products and services.
We are constantly working on improving our security processes, therefore, we encourage security researchers to responsibly report security vulnerabilities and security incidents.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our products and our systems.
We encourage all researchers to follow the following guidelines (responsible disclosure).

Please do the following:

  • E-mail one finding per mail to psirt@barco.com (Barco's product security incident response team), this will allow a more efficient follow-up;
  • Encrypt your communication using our PGP key (see below) to prevent this critical information from falling into the wrong hands;
  • Do not take advantage of the vulnerability or problem you have discovered; for example:
    • Do not download more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data, (e.g. if a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), personal data, credit card data, or proprietary information)
    • Avoid violating the privacy of others, disrupting our systems, destroying data and/or harming user experience
  • Do not share any vulnerability details with third parties without requesting and receiving explicit permission from the Barco’s Product Security Incident Response Team (Discretionary Disclosure);
  • Do request explicit permission to test physical systems which you do not own or applications of third parties;
  • Do not use social engineering, (distributed) denial of service or spam;
  • Do provide sufficient information to reproduce the problem, in English, so we will be able to resolve it as quickly as possible;
  • Depending on the system, a URL or the model name and firmware version of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation; and
  • Do not engage in extortion.

What we promise:

  • We aim to respond to your report within 3 business days (excluding holidays);
  • We aim to provide an evaluation of the report and a resolution forecast, within 10 business days (excluding holidays);
  • If you have followed the instructions above, we will not take any legal action against you with regard to the report;
  • We will handle your report with strict confidentiality, and will not pass on your personal data to third parties without your permission;
  • We will keep you informed of the progress towards resolving the problem;
  • We will evaluate a possible bounty. Decision of a possible bounty is fully at Barco's discretion;
  • Currently we are not paying for the report of security vulnerabilities, we believe in responsible disclosure. However, in exceptional cases and depending on the issue and fully at Barco's discretion, we might overrule this and offer you a bounty.
  • We can use your name as discoverer of the vulnerability in public communication (e.g. release notes), unless you desire otherwise;
  • We strive to resolve all problems as quickly as possible.

Version history:

22 Mar 2019 v1.0 - based upon https://www.responsibledisclosure.nl/en/ (Creative Commons Attribution 3.0 Unported license) and https://disclose.io/ (Creative Commons Attribution 4.0 International License)
05 Apr 2019 v1.1 - Clarification about possible bounties
27 May 2019 v1.2 - Request for one finding per mail - clarification about 'business days'


-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: User-ID: Barco Product Security Incident Response Team <psirt@barco.com>
Comment: Expires: 11/03/2024 12:00
Comment: Type: 4096-bit RSA
Comment: Fingerprint: AFC7393A37D3ACD187CC113E29AD862E8F3D013C


mQINBFyGkM8BEADGNjDS4JPLHnn/nCjR4Cjr9BHgPnbnBKfNW7IMW+X3bcXVhtLL
gb7GoMle0Z9C2nU8jlvornCA6NqQ1pixK+xQ1cIBlSz5G7kdspoX7QTYGW6y1xOh
GC96vPEKX23YuNnRtEb7z849Q+jnKsVdlCZmdAbHBHJ/wfnb2/nMSeWAbUOpSIuq
uExJN0gEuWXjvgmKP3NHuJbEw7HnJKpbkrtsttTv5D8L4/N2RtLnczplJ3igoAK8
9e+LPxzIPkT0F9S+EFaN0IiCfssbJbP5hNqgdrfGgiiaj7wXRUx0gYl2MA6pOjjE
mA9/lN+U2+EtDzrmOMsei/mahY7IaQ5s67bkSA+/xo+l9a65NTDmJJ4O+suITBO2
OsE5gNOxqp4vVEsaz+K6X1fjsNpQnTZUxHb48KDzvq0CIKVuR38Fv18Guwga/Spe
I0jKQdWFDtFWEpZBxbw21TeDrtRm2VQQerUi+o6LyLMtmzDKHGWb7sWVqmx5YcLs
EOO/fdGsOsqp9nk1N65kgyuuc0BqvqMuhr8Ora6DBxdGJQfxRiHcFXXko4FqStnd
X9BnWPIkkeZQqR9sZgRlI1CVEuy08PoWUxWlvRGQnK1edH3yk1qliTMjwhC850l8
VWRp5H+ehkdewUyLh6hMxKWAAdRqMkoj+KIESgntXD7bPmlowualKi6ifwARAQAB
tD9CYXJjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0g
PHBzaXJ0QGJhcmNvLmNvbT6JAlQEEwEIAD4WIQSvxzk6N9Os0YfMET4prYYujz0B
PAUCXIaQzwIbIwUJCWhTYQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAprYYu
jz0BPNwtEACjXStrLYG/2z8BPwuRUuOAMw8yPb5FkhPbAstpYlJKnTtWoh4ksND5
xGn7iNqLCkRZCdDIvJEzDoRDa4hYr5hO0QxjDmZeOnb+WgiAEKDsreoftMImERLN
blDdaiH2K6cqMxli+oUm4m9vXKJ+p0tJar7ZQdQh+pmxVa+4bxGwnmX4MPtyjuNZ
VOIKwesQljJJZVJ+YkxMu+3w/faXzBDZMxZtD/jZaMP6Y3RzgKy7H3QB6CTB5jxK
rf3vpv7AdxXlVJ7gEcdiG+N8QN+Yqo5u077/rRfeYoxYKGqEb9KQag39sE0YV2hi
LXoQubXX+IE/8VjKVr0Hm+++RDDFzaRSSa/fM2MgkzVy260YiRfKJcCP0ssWUu5T
gQ9Z4En8/YyPy9ioUyAN0UEAPC387/b2WxWDRs5s+P3mf8yknVmbPJWciql5/nah
mQd4aytpgSp10woH3TdWAuYnxWcAN803SXhoOI7wfZrSngmiC8mhpu/nermYJaKE
SFIU2lDj/OXdFfeayONKAArlv7BBHzXeclCpTalztVHzNo+ojhIeZCjrX1NmGa1f
HVMtwosvM+9n5AG8TmJ1m1Fkmeb3XABPT5Plb9rZEmbQ2bCmZcJM7vS5xhM1iVog
wlqykVrQ6l0MWTryKsb3rjzzithP68ouURHxfZoHmnQ3VVzfS7IhWrkCDQRchpDP
ARAAtNT9gGdD2HVCgiWUKo3l02VeGLga2veZGiEL0ipRGuYUhRUxTG3Vyqtn15tE
PChWatnO+meOYG0eQ1reNKVDmIzEwUzJED0DlUcnfVm3Xz6q1KKyWneomgLDycAn
T78BcT6L6j4jCbnIysmbAq0AMvTHJ2iVW/ztB36blP7i4qXbhsCEWZ8X1LFjAsxI
pSlbnHXpqXXZFG+fVQ+Plap+w8vy7CkFTQWwUzgvBYj6TB2+5plUD36W4dWeq/FV
i5EtpT/2Nr4N7JEa4s0JM8vSf6yofyFrzYJuqbeUzZ0Cnk4XHQvjmh8kPWlp7M5k
a/6YByt93Ck/xIoMz7T3MTNR+E2nZ0vMojhb7//dRuhTfdvq/UwnLzh32mGOFqnD
h6nepSsom2o4OXX8yS9WtOOlY3auvYmVFZdG6hXrJYyEcqE7c15uGnvwln1JJJCR
SLJytPZ30+vs6cj8DPIHamFV0zjDtVTzftR3JRd294IN6gKkDEZ1Vr/lfdWKqRkf
x9iSjE6DrNa2UJHbqxAYuCntBWRuZCTTccvta8PRihi9V7vbrfAlZUl65ypj6HT/
rLSHCx8HR93lmVStYio3Jaky/zt/BMjYwbDZff2XQDFC2PGS/QyrXnXdi+FOpxmJ
cUyEaDZAP4VSbIfELCtqOG4VuTK9jTNBHi68ES8McwNZQG8AEQEAAYkCPAQYAQgA
JhYhBK/HOTo306zRh8wRPimthi6PPQE8BQJchpDPAhsMBQkJaFNhAAoJECmthi6P
PQE8znoP/RAeDtRo0fZXpef/76AWBmTEzgZbZiS5j9HzCQMesN1otBn3nTrxbHQ2
bLC91Ao0q3CrDbBo0mT1fY2YRdp3EPEzzczdQeDAk7O7ZoSv9/nXehogvLieMspH
VsXBkM8Q0uv63jWcOaB64bVq29GH3uAlFCTspTL9y5I+EoGwM8rckusWrg2ohUVl
PxZAH2D/sb2Ktc8nOIIBv5aQ+p1zmkSI1Mh2dlgpxX+PlJo+uPryBKbtKXko/xVA
bK5jonolaEdKW+/6TG/37jG+8YUhJkZzX9T7fnHoNPSpJ+5tchatBtE/LUBcVMyB
JlmhnkxoXbldBjz7QqUG9x27vGcuvNBT0XZYDi2HsFAYpKTAPSit9OeND7hg5CR3
wg+0VomY1AASo0KCgN5L5hTnytFa9RJ5gCL3JsZTCzc83IcJ34RdMmo94Ol5ANQB
+hf2FoK0Mm3u8EKJmQnWcR/cOJ7iUU94IAT+paIShhfOyYGr5BM5MSL07thHmsxI
ov4SbFMO7XMGzl+wa9SvdKG1dwy0k/jzJWMjQb3e9fP9qKohestUV5Bl40FKpG6d
TcgDu3Tsd7fVsx2nbljNCNAW+t5S/rQZ7Gz6xueblYIHdV/3nxm/eRPpzyWuYUpd
S9eXFGAsvnkHVBIOAeKihXrx8DQ1+tU9paPQ5U4xF//RYmtbLqKE
=pGAy
-----END PGP PUBLIC KEY BLOCK-----