Vulnerability Disclosure Policy
We take security issues very seriously and recognize the importance of privacy and data security. We welcome security researchers to provide us with feedback on potential security issues to improve the security of mibro products and services.
How to report a security issue
Step 1: If you think you have found a vulnerability in mibro children's products (mibrokids) or have a security incident that needs to be reported, please send us an email with the proof. We continuously monitor the vulnerability reception channel and review and distribute accepted vulnerabilities in a timely manner.
Step 2: We will conduct technical verification of the validity of the vulnerability to confirm its exploitability and potential impact.
Step 3: We will develop vulnerability fixing plans or risk mitigation measures and verify their effectiveness.
Step 4: We will further investigate all potentially affected products and clarify the scope of products affected by the vulnerability.
Step 5: After confirming that all vulnerability response processes have been completed, we will review and issue security recommendations for the vulnerability.
Vulnerability submission method
Email: service@mibrofit.com
Vulnerability Classification and Reasons:
A-Critical (High Risk)
------------------------------
- Serious malfunctions that significantly impact users’ normal usage.
- Malfunctions that contradict product requirements.
- Malfunctions that fail to meet national laws, standards, or industry-related criteria.
- Software security flaws in the product.
- Malfunctions that have a severe impact on production and repairability on the production line.
- User complaints and post-sales feedback indicating unacceptable malfunctions.
- Malfunctions that have a significant impact on user experience.
- Malfunctions caused by server issues that prevent normal data retrieval from firmware and apps.
- User data destruction or loss caused by normal user operations or upgrades.
- User interface glitches or distortions caused by normal user operations or application interface errors.
- Significant computational errors, process or logic errors, or incompleteness.
- Higher probability (>=5%) of sporadic malfunctions in regular functions.
- Product performance issues (response time, standby duration, positioning rate, power consumption, etc.) that fail to meet standards and have significant gaps compared to comparable machines or standards.
- Errors in primary function copywriting and interaction that do not align with product requirements.
B-Major (Medium Risk)
------------------------------
- Malfunctions that significantly affect user experience.
- Malfunctions that affect user experience to a certain extent.
- Malfunctions related to UI, string translation, compatibility issues with different device models.
- Lower probability (<5%) of sporadic malfunctions in regular functions.
- Product performance issues (response time, standby duration, positioning rate, power consumption, etc.) that fail to meet standards but are close to comparable machines or standards.
- Errors in after-sales issues, user assistance, privacy policies, etc.
- Errors in secondary and (minor) function copywriting and interaction that do not align with product requirements.
C-Minor (Low Risk)
-------------------------------
- Issues that users typically overlook and do not affect normal usage.
- Differences between non-functional aspects and product definition documents, software specifications.
- Infrequent and low probability (<5%) issues occurring in non-common paths (including performance testing, compatibility testing).
- Minor product malfunctions that users can tolerate.
Response time
Report receipt will be confirmed within 7 working days and a preliminary assessment will be made. Within 14 business days, the assessment will be completed and the vulnerability will be fixed or a remediation plan will be developed.
Critical risk vulnerabilities will be fixed within 7 working days.
High-risk vulnerabilities will be fixed within 30 working days.
Low-risk vulnerabilities will be fixed within 180 working days.
Note that some vulnerabilities are environmentally or hardware limited. The final repair time will be determined based on actual conditions.
We appreciate the opportunity you give us to improve our products and services so that we can better protect our users. Thank you for working with us through the above process!