Product Vulnerability Report

    Our dedicated appliaction security team is committed to protect our customer information.

    We value the essential contributions made by security researchers and our community in safeguarding Cato Networks and our customers.

    If you find a vulnerability in our product or website, please make sure to follow our engagement rules and out of scope vulnerabilities below, before submitting the report.

    Cato Networks is a CVE Numbering Authority (CNA).
    Our CVE assignment scope includes all Cato Networks products and vulnerabilities discovered in any third-party product not covered by another CNA.
    We adhere to the CNA Operational Rules to identify, define, catalog, and share information about our disclosed vulnerabilities using CVE IDs and CVE Records.

    Engagement Rules:

    Please adhere to the following guidelines:

    • Provide full reproduction details

      • Describe the vulnerability clearly, including step-by-step replication instructions and the exact test environment used.

    • Coordinate disclosure timing

      • Do not share details publicly (social media, conference talks, forums) until you receive our confirmation that the issue has been remediated.

    • Allow for thorough remediation

      • Understand that fixes may take additional time, as multiple teams (engineering, product, operations) might be involved depending on the nature and exploitability of the vulnerability.

    • Notify us of planned presentations

      • If you plan to discuss this vulnerability at a conference, please inform us of the event date as early as possible.

     

    We ask you not to:

    • Cause harm to Cato Networks’ users, systems, or applications.

    • Utilize exploits to access or alter data without proper authorization.

    • Perform disruptive tests, such as denial-of-service attacks or any actions that compromise confidentiality, integrity, or availability.

    • Seek financial rewards for reporting issues—either from Cato Networks or through external bug-bounty marketplaces.

    • Engage in social engineering or phishing against our customers or employees.

    • Request compensation for discovering vulnerabilities or for time and resources spent identifying them.

    Out of scope vulnerabilities:

    • Legacy or End-of-Life Software

      • Vulnerabilities that only affect outdated browsers, plugins, or end-of-life software versions.

    • Configuration-Only and Transport-Layer Issues

      • Missing or misconfigured security headers (e.g., HSTS, CSP).

      • lack of security DNS entries.

      • TLS/SSL deployment weaknesses (e.g., weak ciphers, outdated protocols).

    • Email and Messaging Authentication

      • DKIM, SPF, or DMARC misconfigurations.

    • Social Engineering and Account Compromise

      • Phishing attacks or social-engineering targeting Cato Networks employees, users, or clients.

      • Compromise of user or employee accounts (credential theft, password reuse).

    • Third-Party and Publicly Disclosed Content

      • Issues arising solely from third-party components, services, or hosted infrastructure.

      • Disclosure of publicly accessible files or data (e.g., robots.txt, archived pages) that pose no material risk.

    • User-Dependent or Pre-Compromised Scenarios

      • Any attack that requires the victim’s machine to be already compromised.

      • Hypothetical flaws or best-practice recommendations without a working proof-of-concept exploit.

    • Traffic-Volume and Denial-of-Service

      • Use of tools or techniques that generate large volumes of traffic without a demonstrated service impact.

      • Denial-of-Service or brute-force attacks.

    • Session Management Edge Cases

      • Session time-outs or idle-timeout configurations.

      • Session hijacking via cookie reuse (outside of flaws in application logic).

    • Clickjacking and Cross-Frame Scripting

      • UI framing attacks (clickjacking/XFS) when protections (e.g., X-Frame-Options) are implemented per spec.

    • Information Disclosure of Non-Critical Details

      • Version banners, build identifiers, or other metadata that do not enable an immediate, exploitable attack.

      • Data cached by search engines or web archives (e.g., Wayback Machine).

    *This form is not designed for requests for technical support or suggestions for feature improvements.