Motorola Solutions Bug Submission Program
Motorola Solutions takes pride in our Quality Leadership in all that we do. Trusting us to ensure quality continues to maintain and grow our favorable reputation worldwide. Motorola Solutions recognizes the important role that security researchers play in helping to keep Motorola Solutions and our customers secure. We also appreciate researchers following responsible disclosure practices and not prematurely revealing vulnerability information during the time required to address a problem. Premature public disclosure can place our customers and users at increased levels of risk.
If you believe you have found a security vulnerability or issue on any Motorola Solutions and/or affiliated (e.g. Motorola Solutions Inc., MSI) domains, we encourage you to let us know right away. However, before reporting, please take the time to review and follow our proper Responsible Disclosure Policy and Responsible Disclosure Terms & Conditions.
Responsible Disclosure - Policy
When reporting a security vulnerability to Motorola Solutions, we ask that:
- You give us reasonable time to investigate and mitigate an issue you report before making any information contained in the report public.
- You do not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as attempts to compromise sensitive company data or probing for additional issues.
- You do not intentionally violate any other applicable laws or regulations.
- You do not violate any privacy rules, privacy regulations, or cause disruptions to others including, but not limited to unauthorized access to or destruction of data and interruption or degradation of our services.
- You read and align with Motorola Solutions Company Privacy Policy.
- You adhere to our Responsible Disclosure Terms & Conditions.
Responsible Disclosure - Terms & Conditions
- If you inadvertently or intentionally access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Access to any such data must be declared as part of your vulnerability report.
- By submitting information about a potential security vulnerability, you are granting Motorola Solutions a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing security vulnerabilities in Motorola Solutions products and services.
- By submitting a security vulnerability report, you affirm that you have not previously disclosed the security vulnerability to anyone other than Motorola Solutions. Absent Motorola Solutions prior written consent, any disclosure outside of this process would be a violation of the terms & conditions of the Program.
Submitting a Security Vulnerability
A security vulnerability is a condition in a system or a device that can be exploited to violate its intended behavior, relative to confidentiality, integrity or availability.
For Independent Researchers
You may submit a security vulnerability by email or phone:
- Email: [email protected]
- US Telephone: +1.866.343.5220
- All Other Locations Telephone: +1.302.444.9838
For Motorola Customers
Please provide vulnerability inputs through your normal service support process as this program is NOT for our customers. This will reduce the time is takes to reach the proper team.
For Motorola Solutions Employees
Please provide vulnerability inputs through the proper internal channels.
Required Information
To help us better address your discovery, please include the following information:
- Contact Information: Your name, telephone number and email address
- Application / Product Impacted: Model number and software version, if available
- Vulnerability: Provide a brief description of the vulnerability
- Full Description: Provide a full description of the vulnerability including exploit and impact
- Documentation: Identify steps required to reproduce the vulnerability and may include videos, screenshots, PoC
- IDs Used for Testing: Email ID, User ID, Account ID
- IP Address Used for Testing: Include address and any tools
- Disclosure Details: Confirm you have not disclosed your findings to anyone other than Motorola Solutions. If not true, to whom were details disclosed to?
Expectations After Submission
Please allow up to five business days for an acknowledgment of your submission. This time will allow us to be sure your submission is forwarded to the our Security team for review. If, for any reason, you do not receive an acknowledgment, please contact us again to ensure your submission was received.
What's in Scope?
Any Motorola Solutions services and product domains
Out-of-Scope Vulnerabilities
Certain vulnerabilities are considered out of scope and may not qualify for our "Security Hall of Fame". Known excluded vulnerabilities include:
- Social Engineering techniques or Spam
- Host header
- Denial of Service (DOS)
- Self-XSS
- Login/Logout CSRF
- Content spoofing without embedded links / HTML
- Vulnerabilities which require jailbroken mobile device or outdated web browsers
- Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
- DNS issues (e.g., MX records, SPF records)
- Server configuration issues (e.g., Open ports, TLS)
Bug Bounty Recognition Rewards Terms
We will review and recognize submitted reports on a case by case basis for any researcher that contacts Motorola Solutions regarding vulnerabilities within our services and product domains. In aligning to our commitment to partnering with you, you may be eligible to receive a monetary reward, "bounty," or other non-financial recognition if:
- You are the first person to submit a site or product vulnerability AND
- That vulnerability is determined to be a valid security issue by Motorola Solutions security team AND
- You have complied with Motorola Solutions Responsible Disclosure Policy and Security Hall of Fame Requirements and Guidelines.
Bug Bounty Payments
- Under no circumstances is Motorola Solutions obligated to pay researchers a bounty for any submission.
- Bug bounty payments are determined by the sole discretion of Motorola Solutions.
- Motorola Solutions determines all bounty payouts based on the risk and impact of the vulnerability.
- All bounty payments are considered gratuitous.
- The format and timing of all bounty payments are determined at Motorola Solutions sole discretion.
- As determined by the laws of your jurisdiction, residence or citizenship, you are responsible for any tax implications related to any bounty payments you receive.
- Motorola Solutions customers and employees are exempt from Bug Bounty Payments.
