Vulnerability Disclosure Policy
At Canon Production Printing, we take the security of our IT systems seriously and value the privacy of our customers and stakeholders. We appreciate the contributions of security researchers who support us in improving the security of our IT systems and products. This policy explains the rules and procedures for conducting vulnerability research on our IT systems and reporting potential vulnerabilities to the CPP Information Security team.
This policy applies to the IT services delivered as part of the Canon Production Printing website.
In case vulnerabilities are detected related to CPP products, then report these via the CPP vulnerability disclosure for products: https://cpp.canon/products-technologies/security/vulnerability-disclosure-policy/
When you sincerely follow our vulnerability disclosure policy, we deem your research authorized. We will collaborate with you to understand and rectify any issues quickly while refraining from initiating any legal action against you or interfering with any other legal action taken by a third party against you with respect to your research. You may understand that we cannot ensure that you won’t face prosecution for committing an offense if you investigate a weakness.
Our policy is based on the guidelines for reporting weaknesses in IT systems of the National Cyber Security Centre of the Ministry of Security and Justice in the Netherlands.
The Canon Production Printing Information Security team is committed to protecting our IT systems by maintaining and improving the security of such systems and their processes. As part of this commitment, we invite security researchers to help protect such systems of Canon Production Printing by proactively reporting security vulnerabilities and weaknesses.
When you find a weakness or vulnerability in one of our IT systems, please act with extreme care and caution and only use the necessary methods or techniques to find or demonstrate the weaknesses.
When conducting security research on our IT systems, please adhere to the following guidelines:
- Do not use social engineering to gain access to a system.
- Do not alter the system in any way.
- Do only infiltrate a system if necessary. If you manage to enter a system, do not share access with others.
- Do not attempt to access, modify, or delete any data that does not belong to you or disrupt the usual functioning or availability of our IT systems. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
- Do not use weaknesses you discover for purposes other than your investigation. Refrain from exploiting any vulnerabilities for malicious purposes, such as data theft, malware deployment, or causing damage to our clientele or stakeholders.
- Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.
- Do refrain from using automated tools or techniques that may cause excessive traffic or lead to denial-of-service conditions (e.g., brute force techniques, such as repeatedly entering passwords, or Denial of Service (DoS) type of attacks to gain access to systems).
- Do not disclose any vulnerability details or proof-of-concept code to anyone other than us, until we have fixed the issue and given you permission to do so.
- Respect the privacy and rights of our customers and stakeholders and comply with all applicable laws and regulations.
4. Reporting System Vulnerabilities
When you find weaknesses or vulnerabilities in our IT systems, please report it promptly via email: email@example.com, using the following methods:
- Please provide your IP address in the email. This will be kept private for tracking your testing activities and to review the logs from our side.
- Please include the following information in your email:
- The name and version of the IT system affected by the vulnerability.
- A description of the vulnerability or weakness you found and its impact.
- The step-by-step instructions to reproduce the vulnerability or weakness.
- The approach you undertook.
- The entire URL.
- The objects (as filters or entry fields) possibly involved.
- Screen prints, proof-of-concept code or video recordings are highly appreciated.
- Canon Production Printing Security specialists will review your email. We do not accept automated software scanner output.
- Examples of weaknesses or vulnerabilities are:
- Cross-Site Scripting vulnerabilities (i.e., Stored, Reflected).
- SQL Injection vulnerabilities.
- Encryption weaknesses.
- Remote Code Execution.
- Use of broken algorithms.
- URL redirection of untrusted sites.
- Authentication Bypass, Unauthorized data access.
- XML External Entity.
- S3 Bucket Upload.
- Weak Passwords.
- Server-Side Request Forgery.
5. What we do not accept
- “Self” XSS (Self cross-site scripting).
- HTTP Host Header XSS without working proof-of-concept.
- Incomplete/Missing SPF/DKIM.
- Social Engineering attacks.
- Denial of Service attacks.
- Security bugs in third-party websites that integrate with Canon.
- Insecure Cookies on www.cpp.canon.
We appreciate your support in improving the security and quality of our IT systems. Canon Production Printing information security experts will investigate your email and contact you within five working days. Once the issue is resolved, we will notify you and inform you of our disclosure policy. We may ask you for additional information or assistance during our investigation.
Based on your email, we will only use your personal details to take action. We ask that you keep all information about a vulnerability you reported to us confidential until we have resolved the issue and given you permission to disclose it. Unless otherwise agreed, your identity and contact information will remain confidential. We may share your report with other affected parties or vendors for coordinating purposes, but we will notify you prior to doing so.
Frequently asked questions
Will I receive a reward for my investigation?
No, you are not entitled to any compensation.
Am I allowed to publicize the weaknesses I find and my investigation?
Never publicize weaknesses in Canon Production Printing IT systems or your investigation without consulting us first via the email: firstname.lastname@example.org. We can work together to prevent criminals from abusing your information. Consult with our Canon Production Printing Information Security team, and we can work together toward publication.
Can I report a weakness anonymously?
Yes, you can. You do not have to mention your name and contact details when you report a weakness or vulnerability. Please realize, however, that we cannot consult with you about follow-up measures, e.g., what we do about your report or further collaboration.
What shouldn’t I use this email address for?
The email email@example.com is not intended for the following:
- To submit complaints about Canon Production Printing products or services.
- To submit questions or complaints about the availability of Canon Production Printing websites.
- To report fraud or suspicion of fraud.
- To report phony emails or phishing emails.
- To report viruses.
If you want to report a Canon Production Printing product vulnerability or weakness, go to this page:
Domains in scope
This is the list of domains that are included as part of the Canon Production Printing Vulnerability Disclosure Policy.