The Vulnerability Disclosure Program (VDP) is an experimental program aiming to improve Netreo’s security through responsible testing and submission of previously unknown vulnerabilities. The VDP creates clear guidelines for eligible participants to conduct cyber security research on Netreo systems and applications.
Please adhere to the following guidelines in order to be eligible for recognition under this disclosure program:
In addition, please allow Netreo at least 90 days to fix the vulnerability before publicly discussing or blogging about it. Netreo believes that security researchers have the right to report their research and that disclosure is highly beneficial, and understands that it is a highly subjective question of when and how to hold back details to mitigate the risk that vulnerability information will be misused. If you believe that earlier disclosure is necessary, please let us know so that we can begin a conversation.
Just as important as discovering security flaws is reporting the findings so that users can protect themselves and vendors can repair their products. Public disclosure of security information enables informed consumer choice and inspires vendors to be truthful about flaws, repair vulnerabilities, and build more secure products. Disclosure and peer review advances the state of the art in security. Researchers can figure out where new technologies need to be developed, and the information can help policymakers understand where problems tend to occur. On the other hand, vulnerability information can give attackers who were not otherwise sophisticated enough to find the problem on their own the very information they need to exploit a security hole in a computer or system and cause harm. Therefore we ask that you privately report the vulnerability to Netreo before public disclosure. If you do not want to be publicly thanked on our Netreo Security Hall of Fame page (or elsewhere), please let us know that you want your submission to be confidential in your report email. We are also happy to accept anonymous vulnerability reports, but of course, we can’t send you our thanks if you report a vulnerability anonymously. We will make every effort to respond to valid reports within seven business days. The validity of a vulnerability will be judged at the sole discretion of Netreo. To ensure that your observations are properly reported you shall use only approved channels, namely, you should report discovered vulnerability via email to security-alerts@netreo.com. The validity and severity of a vulnerability will be judged at the sole discretion of Netreo.
We accept only manual or semi-manual tests. All findings coming from automated tools or scripts will be considered out of scope. Furthermore, all issues without clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope.
The following classes of vulnerabilities are of particular interest to us, and are eligible for attribution upon review:
The following classes of vulnerabilities are of particular interest to us, and are eligible for attribution upon review:
We thank you and appreciate your efforts in making Netreo more secure. We would like to thank the following individuals who have helped improve the security of our products.