Security issues report

    Our dedicated security team committed to protect customer information.

    We value the essential contributions made by security researchers and our community in safeguarding Cato Networks and our customers.

    If you find a vulnerability in our product or website, please report it to us according to the guidelines outlined below.

    Before submitting the report, please make sure to follow our Scope and ROE below

    Engagement Rules:

    Please adhere to the following guidelines:

    • ֻShare comprehensive details about the security issue, including how to replicate it and information about the system used for testing.
    • Please wait for our notification that the vulnerability has been fixed before sharing it with others ( social media, conference talks or forums).
    • We prioritize our customers’ security; however, fixing vulnerabilities may require  more time due to the involvement of various teams based on the nature and exploitability of the vulnerability.
    • If you intend to discuss this at a conference, please notify us about the date as early as possible.

     

    We ask you not to:

    • Cause potential or actual harm to Cato Networks’ users, systems, or applications.
    • Utilize exploits to access or alter unauthorized data.
    • Perform tests that could disrupt services, such as DoS attacks, or actions that compromise the confidentiality, integrity, or availability of information and systems.
    • Seek financial rewards for reporting security issues, either directly from Cato Networks or through any external vulnerability marketplaces.
    • Engage in social engineering or phishing attempts against our customers or employees.
    • Ask for compensation for the discovery of vulnerabilities or for the time and resources spent identifying them.

    Out of scope vulnerabilities:

    • Issues only present in old browsers/plugins or end-of-life software browsers
    • Security headers related issues
    • TLS/SSL related issues
    • Phishing or social engineering of Cato Networks employees, users, or clients
    • Systems or issues that relate to third-party technology used by Cato Networks
    • Disclosure of known public files and other information disclosures that aren’t a material risk (e.g., robots.txt)
    • Any attack or vulnerability that hinges on a user’s computer first being compromised
    • Use of a tool that generates a significant volume of traffic
    • Any hypothetical flaw or best practices without exploitable POC
    • Session timeout
    • Session Hijacking (cookie reuse)
    • Click-jacking
    • DKIM/SPF/DMARC issues
    • Compromise of Cato users or employees accounts
    • Denial of Service and brute forcing attacks
    • Information leakage, data cached in search engines or the web archive
    • Software version disclosure

    *This form is not designed for requests for technical support or suggestions for feature improvements.