We encourage the disclosure of any security vulnerabilities that have the potential to impact the security or privacy of our customers. To ensure a collaborative and effective process, researchers must:

• Notify us promptly upon discovering a potential vulnerability to allow timely resolution.
• Provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or third-party.
• Follow Autodesk’s disclosure guidelines when reporting vulnerabilities.
• Submit detailed, reproducible reports, including proof-of-concept if applicable.
• Limit reports to one vulnerability unless multiple issues must be reported together to demonstrate impact.
• Proof-of-Concept (PoC) submissions must be designed to simulate impact without causing real damage. Malicious or destructive payloads are not permitted and will disqualify the submission.

Autodesk is committed to working with researchers to responsibly disclose reported vulnerabilities. For the protection of our customers, we request that researchers refrain

from disclosing vulnerabilities until fixes are available and any potentially affected customers are notified.

Autodesk is a registered CNA (CVE Numbering Authority) and may issue a CVE (Common Vulnerabilities and Exposures) if a vulnerability is confirmed to be in scope, meets Autodesk criteria, and is ready for public disclosure or release. This criteria includes, but is not limited to:

• The vulnerability is within scope of Autodesk products or services and does not belong to a third party or another registered CNA.
• The vulnerability is not publicly known or is not confidential.
• The vulnerability requires user interaction to patch or remediate.

All CVEs issued will be posted on the Autodesk Trust Center as part of a Security Advisory as well as published to the National Vulnerability Database (NVD). Autodesk will work with the researcher to ensure that their work is acknowledged as part of the advisory.

1. Please use only accounts and assets you own or have explicit permission to access for testing and research purposes. Do not attempt to gain unauthorized access to any Autodesk user accounts, data, or services.
2. Submit one vulnerability per report unless multiple issues must be grouped to demonstrate impact.
3. Do not engage in social engineering tactics, including phishing, vishing, or smishing.
4. Avoid testing that causes privacy violations, data destruction, service degradation, or denial-of-service conditions.
5. Do not test against Autodesk systems using spam, brute force techniques, or automated scanning tools not approved by Autodesk. · Do not engage in any research activities that violate applicable local, federal, or international laws, or the laws of any country where Autodesk assets, data, or users are located, data traffic is routed, and the researcher is conducting testing.
6. Do not store, share, or destroy Autodesk customer data. If Personally Identifiable Information (PII) is encountered during testing, immediately cease activity, purge any related data from your system, and report the finding to Autodesk.
7. Avoid any actions that could cause harm to Autodesk, its customers, its employees, or its systems.
8. Do not access data beyond what is necessary to demonstrate the vulnerability. Whenever possible, please use methods that demonstrate vulnerabilities without exposing personal data.
9. In the course of testing or reporting, researchers may encounter limited user data such as usernames, profile images, or email addresses. If you encounter this or other user data, report the issue to help us assess the impact. In some situations, user data may be visible to other users based on our services' design (for example, see the "Is the personal data you give us ever displayed publicly?" section of Autodesk's Privacy Statement and "Your Content" section of our Terms of Use) and as such, may not qualify for researcher rewards.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct. Autodesk will not initiate legal action against you for security research activities that follow this policy. If legal action is initiated by a third party in connection with activities conducted under this policy, we will take appropriate steps to make it known that your actions were conducted in compliance with this policy.

We encourage good faith security research to help safeguard our products, services, and customers, and we are committed to supporting researchers who work within these boundaries.