The UBTECH Robot Vulnerability Disclosure Policy encourages security researchers and the public to provide feedback and engage in responsible vulnerability research and disclosure. If you believe you have discovered a vulnerability, exposed data, or other security issues, we welcome your correspondence. This policy outlines the steps for reporting vulnerabilities to us and clarifies UBTECH's policies on identifying and reporting potential vulnerabilities.
- Disclosure Window: Upon acceptance of your vulnerability report, our goal is to complete the repair work and release patches within 90 days of initial confirmation. If additional information is required to confirm the vulnerability, we will reach out to you. If we do not receive a response after three attempts, we may close the case, but we still welcome ongoing vulnerability reports.
- You/Reporter: Individual, organization, or entity disclosing the vulnerability report.
- We/Us: In this policy, "we" refer to UBTECH and encompass our brands.
If you discover security issues while testing or using UBTECH products or services, please send the detailed information about your findings via email to our official reporting channel (ucare@ubtrobot.com). Reports through other channels may result in delayed responses or being overlooked.
If possible, please include the following in your vulnerability report:
- Specific products or services affected, including any relevant version numbers.
- Detailed information about the issue's impact.
- Any information helpful for reproducing or diagnosing the problem.
- Whether you believe the vulnerability has been publicly disclosed or is known to third parties.
When collaborating with us, according to this policy:
- We do not currently offer or participate in a permanent bug bounty program. We do not accept bounty payments, promotional materials, or credit requests outside of the security advisory release process.
- We will provide a preliminary acknowledgment within 5 working days of receiving your vulnerability report and issue a tracking number.
- Within 30 days of the initial acknowledgment, we will send a vulnerability acceptance confirmation, including the suggested fix deadline. If we do not accept the report, we will provide our reasons, and we will remain open to new information regarding the report.
- Once the reported vulnerability is confirmed, our engineers will work on developing appropriate fixes.
- If there are vulnerabilities that cannot be resolved within the 90-day timeline, we will work with you to extend the confidentiality period or offer alternative solutions. Resolution may depend on:
- Different timeframes for upstream vendor resolutions compared to ours.
- Extensive architectural changes required to address the vulnerability.
- Complex or extended validation requirements resulting from low-level firmware modifications.
- We reserve the right to publish security advisories to provide security information to our customers and the public. If the following conditions occur, we will acknowledge and credit you for discovering and reporting the vulnerability in relevant security advisories and CVEs:
- The reported vulnerability affects currently supported UBTECH products.
- We make code or configuration changes based on the issue.
- You are the first person to report the issue.
- Your research is conducted in accordance with this policy, and
- You agree to acknowledgment.
When participating in our vulnerability disclosure program, please ensure you have read, understood, and agree to comply with our disclosure responsibility policy, terms, and conditions, understanding the relevant information about the vulnerability disclosure policy. If you do not agree with this policy or its terms, you may discontinue use, and we will not provide you with related services. If you continue to use, it means you explicitly understand and accept the following related policies and terms:
- Compliance with the rules, including compliance with this policy and any other relevant agreements. In case of any inconsistency between this policy and any other applicable terms, the terms of this policy shall prevail.
- Promptly report any vulnerabilities you discover. When submitting a security vulnerability report to UBTECH, please confirm that you have not disclosed relevant vulnerability information to anyone outside of UBTECH before.
- If you unintentionally or intentionally access our products, exclusive customers, employees, or business-related information during testing, you may not use, disclose, store, or record that information in any way. Any access to such data must be reflected in the relevant vulnerability report.
- During security testing, make every effort to avoid privacy violations, user experience degradation, production system interruptions, and data destruction. In particular:
- Do not cause potential or actual harm to our users, systems, or applications, including destructive testing such as denial of service.
- Do not view unauthorized data or damage any data through exploiting vulnerabilities.
- Do not attack our personnel, property, data centers, partners, or affiliates.
- Do not engage in social engineering attempts or otherwise misrepresent your affiliation or authorize any of our employees, contractors, or affiliates' access to our assets.
- Do not violate any laws or agreements in discovering vulnerabilities.
- Conduct research only within the security support lifecycle of products and services.
- Convey security vulnerabilities to us only through our vulnerability reporting process. By submitting potential security vulnerability information to UBTECH, you grant us a global, perpetual, royalty-free, non-exclusive license to use the reports you submit to address security vulnerabilities in our products and services.
- Keep the information about any vulnerabilities you discover confidential until we address the issue and release a security advisory. Do not disclose information outside of the disclosure window without prior written consent from UBTECH.
- If the vulnerability provides unintended access to data:
- Limit the amount of data you access to the minimum necessary for effective validation.
- If you encounter any user data during testing, such as personally identifiable information (PII), protected health information (PHI), credit card data, or proprietary information, immediately cease testing and submit a report.
- Interact only with testing accounts you own or accounts you have explicit permission from the account holder.