Introduction
Dolby takes security vulnerabilities and concerns seriously. We encourage the community to report possible vulnerabilities and incidents privately and responsibly.
The following outlines how Dolby handles potential vulnerability disclosure as well as what to expect when a disclosure is made.
Our goal is to address reported, legitimate issues as quickly and as efficiently as possible, however disclosed issues handling may not be as easy and straightforward as one may think. While some issues can be analyzed and resolved quickly, others may be more complex or have a broader impact that requires more careful work behind the scenes.
Security Researchers
Dolby accepts vulnerability reports from all sources such as independent security researchers, industry partners, vendors, customers and consultants. Dolby defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services.
Scope
This policy applies to any digital assets owned, operated, or maintained by Dolby, including public facing websites.
Responsible Disclosure Process
Throughout the reporting process, we will strive to keep all information confidential and to work with the disclosing entity to make sure we understand the issue and address it properly.
We ask that:
- You act in good faith and identify bona fide issues.
- You don’t attempt to compromise accounts or data.
- You don’t attempt to interrupt or degrade our services or impact the stability of the platform (i.e. Denial of Service attacks, etc.)
- Issues be disclosed to us privately, and we should be given reasonable time to respond.
- You don’t disclose any information publicly until we have been able to understand any impact and mitigate any potential risk.
When issues are reported to us, we strive to acknowledge the report as soon as we can and investigate the issue promptly.
Exclusions
Below is a non-exhaustive list of examples that are not considered valid issues:
- User or account enumeration.
- Best practices configurations / policies (i.e. DMARC, SPF Records, etc.)
- A POC that is dependent on executing a man-in-the-middle (MITM) attack.
- Email spoofing.
- Clickjacking or similar techniques.
Please note, these are just a few common examples. Dolby keeps the right to determine what is considered a valid submission.
At this point of time, Dolby doesn’t operate a public bug bounty program and therefor doesn’t offer monetary rewards.
Reporting
Dolby recommends that security researchers share the details of any suspected vulnerabilities across any asset owned, controlled, or operated by Dolby (or that would reasonably impact the security of Dolby and our users) using the form below.
Please provide the following information, if possible:
- Exact reproduction steps, in text format only!
- URL and parameters demonstrating the vulnerability (if applicable).
- Any relevant details of your system’s configuration.
- Your IP address and Dolby account, to match with our logs.
- Please do not send any executable attachments.
Thank you
Thank you for responsibly disclosing vulnerabilities and concerns, we respect the security-researchers community and the appreciate the efforts to disclose responsibly.