Security: Responsible Disclosure Policy

At Videotron, we take security very seriously and make sure to protect our customers and the public. We understand that security communications and research help identify cybersecurity vulnerabilities and issues. Therefore, we encourage research groups and individuals to report vulnerabilities to our team responsibly.

Scope

Our program aims to encompass all the technologies, products, and services provided by Videotron. All the parameters of these services and apps fall within our scope of application. If you are unsure whether something is owned or maintained by Videotron, please let us know and we will do our best to determine if we can assist. No account or identifying information will be provided for testing purposes.

Out of Scope

As we are an Internet Service Provider, technologies hosted by our Residential or Business customers are considered out of scope. These can typically be identified by the FQDN format below:

  • modemcable.videotron.ca

Additionally, any vulnerabilities regarding these brands and entities would also be considered out of scope:

  • All other Quebecor subsidiaries (e.g., Groupe TVA, QMI Agency, QUB, etc.)
  • Vidéotron le superclub
  • Fibrenoire
  • Fizz

Lastly, the following types of vulnerability do not concern us:

  • Email spoofing issues (e.g., SPF, DKIM, DMARC)
  • Automated scan reports or search engine results (i.e., Shodan) without valid proof of concept
  • Issues related to SSL certificates or TLS configurations
  • Secure or HTTP Only flags not set on cookies
  • Outdated software with no proof of exploitability
  • Physical tampering of our hardware devices
  • Social engineering of our call centre agents
  • Load Testing (DoS, DDoS, wireless jamming, etc.)
     

Program Rules

To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:

  • Play by the rules. This includes following this policy, as well as any other referenced agreements.
  • Report any vulnerability you’ve discovered to us promptly.
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
  • Use the official channels only  to discuss vulnerability information with us.
  • Keep the details of any discovered vulnerabilities confidential until we have worked out a publication schedule–and until they are fixed–as per the Disclosure Policy.
  • Perform testing only on in-scope systems, and respect systems and activities which are out of scope.
  • If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, including any proprietary information or data about an identifiable individual, such as financial data or personal information.
  • You should only interact with your test accounts or with accounts for which you have the account holder’s explicit written permission.
  • Do not engage in extortion.
     

How to Report

Videotron asks that researchers share the details of any suspected vulnerabilities via encrypted email:

Write to responsibledisclosure@videotron.com

Videotron will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action. At the least, please include the following information with your initial submission:

  • Vulnerability classification (Critical/High/Medium/Low)
  • Short description
  • Steps to reproduce (be as detailed as possible, include screenshots if applicable)
  • Asset/URL
  • Account name (if applicable)
  • Date and time of your testing
  • Preferred contact method (e.g., phone, email)
     

Safe Harbour

We consider vulnerability research that attempts, in good faith, to comply with this policy to be:

  • Authorized and, consistent with sections 429(2) and 342.1 of the Criminal Code (and/or other applicable laws).
  • Authorized to the extent that it would not otherwise interfere with any rights granted to us under the Copyright Act [RSC 1985, c C-42] [including ss 3, 15 and 41 of that act], and carried out with our consent [as set out in sections 30.63 and 41.15].
  • Does not cause us any material damage.
  • Exempt from any relevant restrictions in our Terms & Conditions, and we waive those restrictions where they are inconsistent with this policy.
  • Lawful, helpful to the overall security of the Internet, and conducted for our benefit.
     

This policy prevails over any other inconsistent term or agreement.

We will not initiate or support any legal action against you for any vulnerability research that is consistent with this policy, or for any accidental, good faith violations of this policy. If some of your vulnerability research falls outside of this policy (e.g., if some of your research impacts out-of-scope systems) this policy will continue to apply with respect to any of your activities that remain compliant with it.

This policy operates solely as a safe harbour from independent potential legal obligations or liabilities. Failure to comply with this policy will disqualify you from the safe harbour it establishes, but should not be read as creating legal obligations that would not otherwise exist or extending such obligations beyond their independent scope. 

You are expected, as always, to comply with all applicable Canadian laws. 

While we may change this policy from time to time, such changes will not be applied retrospectively, and the safe harbour outlined here is irrevocably extended to any vulnerability research that is carried out while this policy remains in effect.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.