Welcome to Teradici's Vulnerability Disclosure and Bug Bounty Program!

No technology is perfect, and Teradici believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

• We ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps required to reproduce what you have observed. In doing so, please make every attempt possible to protect our customers' privacy, data confidentiality, and integrity - we very much value your assistance in preserving those. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other users' data - in other words, violate this policy.

• Our customers' privacy, data confidentiality, and integrity are crucial at Teradici. You agree that you will not disclose vulnerability information reported to Teradici to any other third party until granted permission to do so from Teradici. We endeavor to grant such permission within two to four weeks from the release of the fix that addresses the discovered vulnerability.

• Follow HackerOne's disclosure guidelines.

• See Teradici's Full Responsible Disclosure Policy.

Rewards

Currently, Teradici does not award bounties. However, a reported critical vulnerability may be paid out at Teradici's discretion, depending on the budget at hand, as a display of sincere thanks.

Program Rules

• Bounties are issued solely at the discretion of Teradici.

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• You must disclose all possible ways to exploit an issue in your original report. Teradici will not issue a bounty, follow-on bounty, or bonus if we believe you are abusing the report system by not providing complete information in your initial report.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. This usually requires a working proof-of-concept typically in the form of a clickable link that we can verify. Videos or screenshots are not considered definitive proof.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Out of scope

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• All *.teradici.com domains

• Denial of service attacks

• Password cracking attempts, including but not limited to: brute-forcing, rainbow attacks, word list substitution, pattern checking

• Clickjacking on pages with no sensitive actions

• Attacks requiring takeover of the email or social account authenticating the victim account.

• Tab-nabbing on non-user provided links (reports accepted, but not bounty eligible)

• Unauthenticated/logout/login CSRF

• Attacks requiring MITM or physical access to a user's device

• Previously known vulnerable libraries without a working Proof of Concept

• Comma Separated Values (CSV) injection without demonstrating a vulnerability

• Missing best practices in SSL/TLS configuration.

• Social engineering attacks (including phishing, vishing, smishing)

• Software version disclosure

• Issues requiring direct physical access to hardware (with the exception of hardware vulnerabilities)

• Flaws affecting out-of-date browsers and plugins

• Email enumeration / account oracles

• CSP Policy Weaknesses

• Email Spoofing

• Spamming

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Installer-based DLL or EXE side-load attacks must involve a privilege escalation and be functional without requiring repackaging inside of a container format (such as zip or 7z). If they don't meet this requirement, reports will be closed as informative.

• Teradici internal IT infrastructure

• Any physical attempts against Teradici property or data centers

• Other Teradici or partner products that is not in scope. For example, VMware View Horizon, Amazon Workspace, etc are out of scope.

Legal Posture

Teradici will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting Form, email, or via our Bug Bounty program on HackerOne. We openly accept reports for the currently listed Teradici products. We agree not to pursue legal action against individuals who:

• Engage in the testing of systems/research without harming Teradici or its customers.

• Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing against teradici.com and its subdomains.

• Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.

• Adhere to the laws of their location and the location of Teradici. For example, violating laws that would only result in a claim by Teradici (and not a criminal claim) may be acceptable as Teradici is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.

• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon time frame expires.

Software Version

• To qualify as a valid vulnerability, it must exist in the latest version that is publicly available on our website.