Canon Inc. (“we”, “our” or “us”) will collect and disclose product vulnerability information in order to ensure the security of our products and services (“Products”), and to protect our customers from cyber threat.
1. PSIRT Establishment
We have established the PSIRT (Product Security Incident Response Team) to handle vulnerability information relevant to the Products.
2. Vulnerability Management
We work continuously to identify and limit the risk associated with vulnerabilities in the Products. However, if you, as end user, partner, vendor, industry group or independent researcher, identify a vulnerability in the Products, we encourage you to report the problem immediately via the reporting form below. Timely reporting of vulnerabilities is critical to reducing the likelihood that they can be exploited in practice.
We accept information only for undisclosed vulnerabilities in the Products.
Vulnerabilities related to open source software components should be addressed directly to the responsible entity. We may assess the open source software vulnerability to its relevance in the context of how we recommend deploying the Products.
We expect reporters agree with us on a disclosure process and a disclosure date.
The reporter can expect an acknowledgement of receipt from us within 3 business days after receiving the initial submission.
3. Out of Scope Vulnerability Information
We do not accept the reporting of the following vulnerabilities:
- Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests)
- TLS configuration weaknesses (e.g. "weak" cipher suite support, TLS1.0 support, sweet32, BEAST etc.)
- Issues surrounding the verification of email addresses used to create user accounts
- "Self" XSS
- CSRF and CRLF attacks where the resulting impact is minimum
- HTTP Host Header XSS without working proof-of-concept
- Incomplete/Missing SPF/DMARC/DKIM
- Social Engineering attacks
- Security Bugs in third party websites that integrate with the Products
- Network data enumeration techniques (e.g. banner grabbing, existence of publicly available server diagnostic pages)
- Reports indicating that the Products do not fully align with "best practices"
4. Bug Bounty Program
We do not conduct a bug bounty program. Accordingly, please acknowledge that there is no expectation of payment or compensation, and that any future right to claim related to the submitted report is waived.
5. How we Handle Vulnerability Information
Reported vulnerability information for the relevant Products will be confirmed by our technical team, after which we will provide feedback to the reporter.
6. Measures to Vulnerabilities
If we determine that the submitted report describes new vulnerability, we will implement countermeasures and/or present workarounds, which we determine to be appropriate.
In addition, when deemed necessary, we will publish security advisory on the website below as soon as we are able to disclose information in order to enable our customers/partners to take appropriate measures.
A security advisory is typically provided only for Canon-specific vulnerabilities.
We also provide recommendations on how to reduce security risks related to the Products in the form of Canon Hardening Guides.
7. License to Reported Vulnerabilities
We are not claiming any ownership rights to the reported vulnerability information, including any data, text, material, program code, suggestion and recommendation from a reporter (collectively “Reported Vulnerabilities”). However, by providing any Reported Vulnerabilities to us, please agree with the followings:
- The reporter grants us the following non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in the Reported Vulnerabilities:
(i) to use, review, assess, test, and otherwise analyze the Reported Vulnerabilities; and (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of the Reported Vulnerabilities and all its content, in whole or in part, for the purpose of fixing the Reported Vulnerabilities, improving the Products and marketing, sale and promotion of such improved Products;
- The reporter agrees to sign any documentation that may be required for us or our designees to confirm the rights the reporter granted above;
- The reporter understands and acknowledges that we may have developed or commissioned materials similar or identical to the Reported Vulnerabilities, and the reporter waives any claims it may have resulting from any similarities to the Reported Vulnerabilities;
- The reporter understands that it is not guaranteed any compensation or credit for our use of the Reported Vulnerabilities; and
- The reporter represents and warrants that the Reported Vulnerabilities is its own work, that the reporter hasn't used information owned by another person or entity, and that the reporter has the legal right to provide the Reported Vulnerabilities to us.