Hexagon Vulnerability Disclosure Program

Introduction

The safety and security of customer data that is managed by Hexagon's products is an essential supporting component of Hexagon's Vision and Mission. We welcome the external security research community contribution to the security of our Products. If you believe you've found a security bugs in our products, we'll gladly work to resolve that issue.

Program Highlights

• Closed Scope: Only accepts reports based on the listed scope
• Coordinated Vulnerability Disclosure: Standard
• Top Response Efficiency: This program's response efficiency is above 90%
• Managed by HackerOne

Response Metrics:

• Average time to first response: 13 hours
• Average time to triage: 2 weeks, 5 days
• Average time to resolution: 1 month, 2 days

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g., phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Ask the program team before submitting vulnerabilities on unscoped subdomains.
• Only interact with accounts you own or with the explicit permission of the account holder.

Test Plan

• Please use your hacker email alias when testing ([email protected])
• Researchers should add headers to requests such as: "X-HackerOne-Research: [H1 username]"

Scope Exclusions

Core Ineligible Findings are out of scope.