We take all feedback on our systems seriously and remain committed to continuous improvement.

The feedback we get from security researchers is appreciated as it helps us safeguard our services and continue to provide a world class experience for everyone who uses our products.

Like all good technology companies we have a clear, formal and robust process for the reporting of bugs and issues. We have a schedule of improvement updates that we release throughout the year.

We operate a policy of responsible disclosure for reporting security vulnerabilities. However, we do not offer a rewards program for the disclosure of security research.

Paxton does not intend to engage in legal action against individuals who:

• Engage in testing of systems/research without harming anyone
• Test on products without affecting customers or receive consent from customers before engaging in vulnerability testing against their devices or software
• Adhere to the applicable laws and comply with all applicable software license requirements
• Perform coordinated disclosure, i.e. refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires
• Avoid impact to the safety or privacy of anyone

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Paxton or any partner organizations to be in breach of any legal obligations. If you have any existing contractual relationship with Paxton (whether as an employee or as an external contractor or supplier) then this policy supplements any terms and conditions governing that relationship. In the event of any conflict or inconsistency between this policy and the terms and conditions governing your existing contractual relationship, those terms and conditions will prevail.

Reporting an issue
To report a security vulnerability affecting a Paxton product, please contact us at security@paxton-access.com.

In order to obtain the most value from this program, for both Paxton and the participating security researcher, we require disclosures which include:

• Reports that are well written and submitted in English where possible
• Reports that include proof of concept code that permit Paxton to better triage the issue
• Reports that include details of how the vulnerability was identified, steps to reproduce, a suggested impact rating, and any potential remediations you might suggest
• Reports that are more than just output from automated testing tools, and scans
• Reports that include any intentions or timelines for public disclosure

If you follow these guidelines, you can expect the following from Paxton:

• A timely response to your initial disclosure, typically within 5 working days
• Open dialog which includes planned remediation timelines where a remediation is necessary
• Report of any issues or challenges that may delay resolution
• Notification when final remediation has occurred

What we do not allow
We don’t allow any activity that might interfere with customers using our services or any activity that might result in the modification, deletion or unauthorized disclosure of our intellectual property or personal customer data.

With that in mind, these are some of the specific things we don’t allow:

• Public disclosure of personal, proprietary or financial information
• The modification or deletion of data that isn’t yours
• Interruption, degradation or outage to services (like Denial of Service attacks)
• Spamming/social engineering/phishing attacks
• Physical exploits/attacks on our infrastructure
• Local network-based attacks such as DNS poisoning or ARP spoofing

If you have any questions, please email us at security@paxton-access.com or call our Customer Support team on 877.438.7298