Dassault Systèmes Vulnerability Reporting

Dassault Systèmes Responsible Vulnerability Disclosure Program

Dassault Systèmes considers vulnerability reporting to be an important part of our information security program and values the role of independent security researchers. Responsible reporting of potential security issues is taken seriously and follows our established vulnerability disclosure procedures. This page describes the approach used to address potential vulnerabilities in Dassault Systèmes products or services. 

Reporting Potential Vulnerabilities

Existing Dassault Systèmes customers are expected to use the support portal to report any issues for any product or service through https://www.3ds.com/support/. Security researchers willing to share suspected vulnerabilities privately may contact us directly through the Dassault Systèmes security team email address 3DS.Information-Security(at)3ds.com. To bring value to your report and assist our teams in evaluating the suspected vulnerabilities, each reporting would ideally include a detailed description, perceived risk, the targeted scope and its level, POC and any supported materials.

Evaluation Process

Dassault Systèmes will acknowledge the reception of any non-customer vulnerability reporting within two business days. (Customers reporting process is based on our support policies and SLA). All submissions will be evaluated and dispatched to the relevant teams and will be treated as strictly confidential. Protecting our customers and users is at the top of our priorities, we therefore ask that you provide us with ample time to address the security concerns and await our solution before any public notifications.

Scope

Dassault Systèmes has a large set of products and internet presence to cover all brands, industries and activities. This program covers the following three categories:

  • All web sites of the corporate group and of any subsidiaries, including but not limited to www.3ds.com and www.solidworks.com
  • All Software as a Service solutions, such as 3DEXPERIENCE or ScienceCloud, but also any online hosting linked to our brands
  • All Dassault Systèmes licensed software products.

Terms and Conditions

By submitting report about vulnerabilities, security threats and/or workaround proposals (hereinafter together referred as "Vulnerability Report") to Dassault Systèmes SE and/or its affiliates (hereinafter “Dassault Systèmes”):

  1. You agree that Dassault Systèmes may use such Vulnerability Report to update and/or improve its software; products or services, and You grant to Dassault Systèmes a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to Dassault Systèmes' licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose such Vulnerability Report in any manner Dassault Systèmes chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of Dassault Systèmes’ and its sub licensee’s software, products or services embodying Vulnerability Report in any manner and via any media Dassault Systèmes chooses, without reference to the source. Dassault Systèmes shall be entitled to use Vulnerability Report for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives; AND
  2. You commit yourself to test on  Dassault Systèmes’ software, products or services without affecting the safety or privacy of anyone, and to receive permission/consent from its customers or users before engaging in vulnerability testing against their devices/software, etc; AND
  3. You commit yourself not to engage in any activity that can potentially or actually cause harm to Dassault Systèmes and/or Dassault Systèmes’ customers, users or employees; and You, therefore, agree to keep confidential and refrain from disclosing to any third party the Vulnerability Report or any information about threats and vulnerabilities of the Dassault Systèmes’ software, products or services without Dassault Systèmes prior express consent and, in all cases, before a fix and/or patch has been made available and communicated by Dassault Systèmes to impacted customers or users; AND
  4. You agree to avoid and prevent any impact to the safety or privacy of anyone; AND
  5. You commit yourself not to engage in any activity that violates the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) You are conducting research activity; AND
  6. You agree to adhere to the applicable laws and comply with all applicable software license requirements.