1. Purpose
Canon EMEA (“we,” “our,” or “us”) will collect and disclose product vulnerability information to ensure the security of our products and services (“Products”) and to protect our customers from cyber threats. When vulnerabilities are discovered, Canon EMEA works diligently to resolve them. It ensures that our customers have a consistent, unambiguous resource to help them understand how Canon EMEA responds to events of this nature.
This Vulnerability Disclosure Procedure (VDP) provides guidelines for cybersecurity research to improve the security of our products and services. This VDP also instructs researchers on how to submit discovered vulnerabilities to the relevant team.
2. In Scope Vulnerability Information
The Canon EMEA Product Security Team is willing to be informed about demonstrated vulnerabilities and is committed to protecting Canon’s customers and employees. As part of this commitment, we invite security researchers to help protect Canon by proactively reporting security vulnerabilities and weaknesses.
As part of the Canon EMEA Vulnerability Disclosure Policy, the list of products and services manufactured or developed by the following organisations are included:
- Canon Europe Limited – The following comprises the VDP for all the products of Canon Europe Limited.
- Canon Production Printing Holding B.V. – The following comprises the VDP for all the products of Canon Production Printing.
- I.R.I.S S.A. – The following comprises the VDP for all the products of IRIS.
- NT-ware Systemprogrammierungs-GmbH – Please refer to the NT-Ware VDP.
- Therefore Corporation GmbH – The following comprises the VDP for all the products of Therefore.
If your reported security issue is not related to any of the in-scope products and services, we will route it to the relevant team.
3. Out of Scope Vulnerability Information
We do not accept the reporting of the following vulnerabilities:
- Volumetric/Denial of Service vulnerabilities (i.e., simply overwhelming our service with a high volume of requests).
- TLS configuration weaknesses (e.g., "weak" cipher suite support, TLS1.0 support, sweet32, BEAST, etc.).
- Issues surrounding the verification of email addresses used to create user accounts.
- "Self" XSS. Cross-site scripting issues should be exploitable in reflected, stored or DOM-based types.
- CSRF (Cross Site Request Forgery) and CRLF (Carriage Return and Line Feed) attacks where the resulting impact is minimum.
- HTTP Host Header XSS without working proof-of-concept.
- Incomplete/Missing SPF/DMARC/DKIM.
- Social Engineering/Phishing attacks.
- Security Bugs in third-party websites that integrate with the Products.
- Network data enumeration techniques (e.g., banner grabbing, existence of publicly available server diagnostic pages).
- Reports indicating that the Products do not fully align with "best practices".
- Automated software scanners output.
4. How to Report a Vulnerability
Individuals or organisations experiencing a product security issue are strongly encouraged to contact the Canon EMEA PSIRT. Canon EMEA welcomes reports from independent researchers, industry organisations, vendors, customers, and other sources concerned with products and services.
To contact the Canon EMEA PSIRT, use the following method to submit your report in English please:
- Web Form: You can report a vulnerability using the Report a Product Security Issue form.
- Email: You can report a vulnerability emailing product-security@canon-europe.com.
Please provide a detailed description of what you have discovered and any evidence you might have.
Please share the security issue with us before making it public on message boards, mailing lists, or other forums.
To receive credit, you must be the first to report a vulnerability, and you must specifically include the following in your report:
- Product name and model in which the vulnerability was discovered.
- Version of the product containing the vulnerability.
- Types of vulnerabilities (buffer overflow, remote code execution, etc.).
- Potential impact of vulnerability.
- Procedure for reproducing the vulnerability.
- Proof-of-concept code, attack code, and other similar details.
- Public references if there are any.
The Web Form is intended for vulnerability reporting only. Any business, technical or sales inquiries are not accepted. The product-security@canon-europe.com email address is intended ONLY to report security vulnerabilities specific to our products or services. For other technical support information on our products or services, please visit our Product Support website.
We kindly ask you to agree with us on a disclosure process and date that varies depending on the nature of the reported security issue.
5. What we do with a Vulnerability Report
Reported vulnerability information for the relevant Products will be confirmed by our technical team, after which we will provide feedback to the reporter.
Reports reaching us on Saturdays, Sundays, and national or company holidays will be acknowledged within three business days following the first business day. Please be advised that we may not respond to every report.
6. Your Privacy
We will only use your personal details to act based on your report. We will not share your personal details with others without your express permission. If you wish to read more about our How Canon handles your personal data, please visit the Canon Privacy Trust Centre.
7. Disclosure of Security Vulnerabilities
When a new security vulnerability gets reported or identified internally or externally, it will be handled by the Canon EMEA Product Security team according to this Canon EMEA VDP.
Canon EMEA adopts version 3.1 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities in our products and services.
Currently, the CVSS model uses three distinct measurements namely, base, temporal, and environmental calculations. We will evaluate the base vulnerability score. Customers are encouraged to compute the temporal and environmental scores based on their network parameters. The combination of all three scores should be considered the final score. Customers are advised to use this final score to prioritise a particular vulnerability in their own environments. Along with CVSS scores, Canon will include risk-based classification to categorise our vulnerabilities into critical, high, medium, low, and informational. Canon uses the following guidelines to determine the Canon EMEA Security Advisory type.
|
Type |
CVSS |
CVE (Common Vulnerability Enumeration) |
Publication |
|
Critical |
9.0 – 10.0 |
Yes |
Yes |
|
High |
7.0 – 8.9 |
Yes |
Yes |
|
Medium |
4.0 – 6.9 |
Yes |
Yes |
|
Low |
0.1 – 3.9 |
No |
No (Yes, only if required) |
|
Informational |
0.0 |
No |
No |
8. Bug Bounty Programme
We do not conduct a bug bounty programme. Accordingly, please acknowledge that there is no expectation of payment or compensation and that any future right to claim related to the submitted report is waived.
9. Frequently Asked Questions
Will I receive a reward for my investigation?
No, you are not entitled to any compensation.
Am I allowed to publicise the weaknesses I find and my investigation?
Never publicise weaknesses in Canon Products or your investigation without consulting us first via email: product-security@canon-europe.com.