Report a Security Vulnerability / Incident
As a global technology leader, Barco is committed to delivering secure solutions, products and services.
We are constantly working on improving our security processes, therefore, we encourage security researchers to responsibly report security vulnerabilities and security incidents.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our products and our systems.
We encourage all researchers to follow the following guidelines (responsible disclosure).
Please do the following:
- Log one finding per Support Ticket via https://serviceportal.barco.com/s/create-case-wizard
- In case you experience issues using the support portal, please mail your issues with the support portal and your security findings to psirt@barco.com (less preferred method, will be deprecated in the future).
- Do not take advantage of the vulnerability or problem you have discovered; for example:
- Do not download more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data, (e.g. if a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), personal data, credit card data, or proprietary information)
- Avoid violating the privacy of others, disrupting our systems, destroying data and/or harming user experience
- Do not share any vulnerability details with third parties without requesting and receiving explicit permission from the Barco’s Product Security Incident Response Team (Discretionary Disclosure);
- Do request explicit permission to test physical systems which you do not own or applications of third parties;
- Do not use social engineering, (distributed) denial of service or spam;
- Do provide sufficient information to reproduce the problem, in English, so we will be able to resolve it as quickly as possible;
- Depending on the system, a URL or the model name and firmware version of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation; and
- Do not engage in extortion.
What we promise:
- If you have followed the instructions above, we will not take any legal action against you with regard to the report;
- We will handle your report with strict confidentiality, and will not pass on your personal data to third parties without your permission;
- We will keep you informed of the progress towards resolving the problem;
- We will evaluate a possible bounty. Decision of a possible bounty is fully at Barco's discretion;
- Currently we are not paying for the report of security vulnerabilities, we believe in responsible disclosure. However, in exceptional cases and depending on the issue and fully at Barco's discretion, we might overrule this and offer you a bounty.
- We strive to resolve all problems as quickly as possible.
Version history:
22 March 2019 v1.0 - based upon https://www.responsibledisclosure.nl/en/ (Creative Commons Attribution 3.0 Unported license) and https://disclose.io/ (Creative Commons Attribution 4.0 International License)
05 April 2019 v1.1 - Clarification about possible bounties
27 May 2019 v1.2 - Request for one finding per mail - clarification about 'business days'
8 July 2021 v1.3 - Guide Barco customers to log a support ticket instead of using psirt@barco.com
5 October 2023 v1.4 – Migration towards Support Portal and updated/removed policy statements