Our dedicated security team committed to protect customer information.
We value the essential contributions made by security researchers and our community in safeguarding Cato Networks and our customers.
If you find a vulnerability in our product or website, please report it to us according to the guidelines outlined below.
Before submitting the report, please make sure to follow our Scope and ROE belowÂ
Please adhere to the following guidelines:
ֻֻֻ• Share comprehensive details about the security issue, including how to replicate it and information about the system used for testing.
• Please wait for our notification that the vulnerability has been fixed before sharing it with others ( social media, conference talks or forums).
• We prioritize our customers' security; however, fixing vulnerabilities may require  more time due to the involvement of various teams based on the nature and exploitability of the vulnerability.
• If you intend to discuss this at a conference, please notify us about the date as early as possible.
We ask you not to:
• Cause potential or actual harm to Cato Networks' users, systems, or applications.
• Utilize exploits to access or alter unauthorized data.
• Perform tests that could disrupt services, such as DoS attacks, or actions that compromise the confidentiality, integrity, or availability of information and systems.
• Seek financial rewards for reporting security issues, either directly from Cato Networks or through any external vulnerability marketplaces.
• Engage in social engineering or phishing attempts against our customers or employees.
• Ask for compensation for the discovery of vulnerabilities or for the time and resources spent identifying them.
 Issues only present in old browsers/plugins or end-of-life software browsers
 Security headers related issues
TLS/SSL related issues
 Phishing or social engineering of Cato Networks employees, users, or clients
Systems or issues that relate to third-party technology used by Cato Networks
Disclosure of known public files and other information disclosures that aren’t a material risk (e.g., robots.txt)
Any attack or vulnerability that hinges on a user’s computer first being compromised
Use of a tool that generates a significant volume of traffic
Any hypothetical flaw or best practices without exploitable POC
Session timeout
Session Hijacking (cookie reuse)
 Click-jacking
DKIM/SPF/DMARC issues
Compromise of Cato users or employees accounts
Denial of Service and brute forcing attacks
Information leakage, data cached in search engines or the web archive
Software version disclosure