BUG SUBMISSION PROGRAM GUIDELINES
Security Hall of Fame - Requirements and Guidelines
Your participation in Motorola Solutions Bug Submission Program is voluntary and you must first meet the following requirements to potentially qualify for the “Security Hall of Fame”. The Security Hall of Fame is where publicly recognize the efforts of security researchers to contribute to the security of Motorola Solutions services and domains.
The Program is offered at the discretion of Motorola Solutions and Motorola Solutions has the right to terminate or modify the Program rules, procedures, benefits or conditions of participation, in whole or in part, at any time, with or without notice.
Failure to follow these guidelines will result in immediate disqualification from the Bug Submission Program.
Adhere to our Responsible Disclosure Policy.
Adhere to our Responsible Disclosure Terms and Conditions.
Do not use automated scanners to scan the application.
Do not engage in testing that would negatively impact Motorola Solutions applications or customers.
Do not publicly disclose your findings in any way without Motorola Solutions prior written approval.
Understand the assessment of the risk, it’s impact, severity, and other factors are at Motorola Solutions security team’s discretion.
Submitting a Security Vulnerability
A security vulnerability is a condition in a system or a device that can be exploited to violate its intended behavior, relative to confidentiality, integrity or availability.
For independent researchers: You may submit a security vulnerability by email or phone:
For Motorola customers: Please provide vulnerability inputs through your normal service support process as this program is NOT for our customers. This will reduce the time is takes to reach the proper team.
For Motorola Solutions employees: Please provide vulnerability inputs through the proper internal channels.
To help us better address your discovery, please include the following information:
Contact Information: Your name, telephone number and email address
Application / Product Impacted: Model number and software version, if available
Vulnerability: Provide a brief description of the vulnerability
Full Description: Provide a full description of the vulnerability including exploit and impact
Documentation: Identify steps required to reproduce the vulnerability and may include videos, screenshots, PoC
IDs Used for Testing: Email ID, User ID , Account ID
IP Address Used for Testing: Include address and any tools
Disclosure Details: Confirm you have not disclosed your findings to anyone other than Motorola Solutions. If not true, to whom were details disclosed to?
Expectations After Submission
Please allow up to five business days for an acknowledgment of your submission. This time will allow us to be sure your submission is forwarded to the our Security team for review. If, for any reason, you do not receive an acknowledgment, please contact us again to ensure your submission was received.
What’s in Scope?
Any Motorola Solutions services and product domains
Certain vulnerabilities are considered out of scope and may not qualify for our “Security Hall of Fame”. Known excluded vulnerabilities include:
Social Engineering techniques or Spam
Denial of Service (DOS)
Content spoofing without embedded links / HTML
Vulnerabilities which require jailbroken mobile device or outdated web browsers
Infrastructure vulnerabilities, including:
Certificates/TLS/SSL related issues
DNS issues (e.g., MX records, SPF records)
Server configuration issues (e.g., Open ports, TLS)
Bug Bounty Recognition Rewards Terms
We will review and recognize submitted reports on a case by case basis for any researcher that contacts Motorola Solutions regarding vulnerabilities within our services and product domains. In aligning to our commitment to partnering with you, you may be eligible to receive a monetary reward, “bounty,” or other non-financial recognition if:
You are the first person to submit a site or product vulnerability AND
That vulnerability is determined to be a valid security issue by Motorola Solutions security team AND
You have complied with Motorola Solutions Responsible Disclosure Policy and Security Hall of Fame Requirements and Guidelines.
Bug Bounty Payments
Under no circumstances is Motorola Solutions obligated to pay researchers a bounty for any submission.
Bug bounty payments, are determined by the sole discretion of Motorola Solutions.
Motorola Solutions determines all bounty payouts based on the risk and impact of the vulnerability.
All bounty payments are considered gratuitous.
The format and timing of all bounty payments are determined at Motorola Solutions sole discretion.
As determined by the laws of your jurisdiction, residence or citizenship, you are responsible for any tax implications related to any bounty payments you receive.
Motorola Solutions customers and employees are exempt from Bug Bounty Payments.