Dolby takes security vulnerabilities and concerns seriously. We encourage the community to report possible vulnerabilities and incidents privately and responsibly.
The following outlines how Dolby handles potential vulnerability disclosure as well as what to expect when a disclosure is made.
Our goal is to address reported, legitimate issues as quickly and as efficiently as possible, however disclosed issues handling may not be as easy and straightforward as one may think. While some issues can be analyzed and resolved quickly, others may be more complex or have a broader impact that requires more careful work behind the scenes.
Responsible Disclosure Process
Throughout the reporting process, we will strive to keep all information confidential and to work with the disclosing entity to make sure we understand the issue and address it properly.
We ask that:
- You act in good faith and identify bona fide issues.
- You don’t attempt to compromise accounts or data.
- You don’t attempt to interrupt or degrade our services or impact the stability of the platform (i.e. Denial of Service attacks, etc.)
- Issues be disclosed to us privately, and we should be given reasonable time to respond.
- You don’t disclose any information publicly until we have been able to understand any impact and mitigate any potential risk.
When issues are reported to us, we strive to acknowledge the report as soon as we can and investigate the issue promptly.
Please provide the following information, if possible:
- Exact reproduction steps, in text format only!
- URL and parameters demonstrating the vulnerability (if applicable).
- Any relevant details of your system’s configuration.
- Your IP address and Dolby account, to match with our logs.
- Please do not send any executable attachments.
If you need to share sensitive information, please contact us and we will coordinate an encrypted transfer.
Below is a non-exhaustive list of examples that are not considered valid issues:
- User or account enumeration.
- Best practices configurations / policies (i.e. DMARC, SPF Records, etc.)
- A POC that is dependent on executing a man-in-the-middle (MITM) attack.
- Email spoofing.
- Clickjacking or similar techniques.
Please note, these are just a few common examples. Dolby keeps the right to determine what is considered a valid submission and the bounty if any.
Thank you for responsibly disclosing vulnerabilities and concerns, we respect the security-researchers community and the appreciate the efforts to disclose responsibly.