HackerOne Vulnerability Disclosure Program

Overview

We value the contributions of security researchers and ethical hackers in helping us maintain a secure environment. This program outlines the process for submitting vulnerabilities, our commitment to protecting the security of our users, and the guidelines for safe and ethical reporting. CommScope aims to enhance the security of our products and services through collaboration with the security community, promote responsible disclosure by providing a clear reporting framework, and protect participants by establishing a safe environment for reporting vulnerabilities without fear of legal repercussions, provided they adhere to our guidelines.

Scope

The following outlines the assets, systems, and technologies that are in scope for vulnerability testing in our bounty program. Submissions outside of this scope may not qualify for rewards or recognition.

  • Any public-facing system owned, operated, or controlled by CommScope, including web applications hosted on those sites.
  • Any RUCKUS Devices/Product

Guidelines

Certain types of vulnerabilities and techniques are not eligible for rewards or recognition under our bounty program. These include but are not limited to the following:

  • Denial of Service Attacks or any activities that could lead to Denial of service attacks
  • Issues without clearly identified security impact (such as clickjacking on a static website, missing security headers, certificates issues, or descriptive error messages.)
  • SSL/TLS Vulnerabilities without a clear security impact
  • Missing best practices, information disclosures, use of known-vulnerable libraries or application and services (without substantive information indicating exploitability)
  • Self-exploitation (e.g., cookie reuse.)
  • Banner Exposure / Version Disclosure.
  • Testing that requires mass creation of accounts, credential stuffing, account spraying, etc.
  • Issues related to brute-force protections or rate-limiting mechanisms without a clear and exploitative impact.
  • Testing that requires social engineering, including spear phishing of CommScope personnel.
  • Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps.
  • You do not attempt to gain physical access to any of our offices or data centers.
  • No backdoor, rootkits, RATs or any other mechanism to set up persistence.
  • If at any point you are uncertain whether to continue testing, please engage with the HackerOne team at [email protected].

How to Submit a Report

To help streamline our intake process, we ask that submissions include:

  • Type of issue
  • Product
  • Vulnerable Version
  • Configuration of software containing the bug
  • Proof-of-concept (Step-by-step instructions to reproduce the issue, and if applicable, to remediate it)
  • Impact of the issue

Legal Notice

You must comply with CommScope’s terms of use, security industry best practices, and all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program. You agree that any and all information acquired or accessed as part of this exercise is confidential to CommScope, shall be accessed for the limited purpose of vulnerability identification, and you shall hold all such information in strict confidence and shall not copy, reproduce, retain, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose such information to third parties or use such information for any purposes other than for the performance of your work or expressly authorized in writing by CommScope.

CommScope does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

By submitting a report to CommScope, you grant to CommScope Inc., its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of information or material submitted. You must notify us if any part of your report is not your own work or is the intellectual property of a third-party.

CommScope may modify the terms of this policy or terminate the policy at any time.

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close