Statement
Tomofun's mission is to bring joy and innovation to every pet lover in the world. We are committed to earning and upholding our customers' trust by delivering products that prioritize security and safeguard the privacy of their data.
We value the vigilance of our community in identifying security concerns and maintain a proactive stance in staying ahead of emerging threats. Collaborating with security researchers and industry partners, we stay abreast of the latest developments to enhance the security of our products.
In adherence to our principles, Tomofun will prioritize protecting the safety of our customers and does not disclose security vulnerabilities until fixes are available. Tomofun reserves the right to publicly announce a vulnerability once solutions are in place.
Tomofun’s vulnerability disclosure policy
This policy outlines the systems and types of research covered, how to submit vulnerability reports to us, and the time security researchers are expected to wait before publicly disclosing vulnerabilities.
Scope
Tomofun investigates all reports of security vulnerabilities affecting Tomofun products and services.
What You Can Expect from Us
If you're a security researcher and you believe you've discovered a security vulnerability in Tomofun, please share your contact information with us. We assure you that we will reach out to you as promptly as possible. You'll receive confirmation of our receipt of your report within one business day, and we'll make every effort to confirm the existence of the vulnerabilities. Throughout the repair process, we'll strive for transparency, detailing any issues or challenges that may impede progress toward resolution. Furthermore, we'll maintain an open dialogue to address any concerns or questions that may arise.
Responsible Disclosure Guidelines
We ask that security researchers adhere to the following guidelines when testing our products or services:
- Respect Privacy: Do not access or modify data that does not belong to you.
- Do No Harm: Do not disrupt or degrade the availability or performance of our products or services.
- Compliance: Ensure that your research complies with all applicable laws and regulations.
Please refer to our process and definition:
- Tomofun will confirm your report within 1 business day.
- For P0 (Critical) vulnerabilities, Tomofun will check and investigate the report within 2 days. For P1 (Medium-High) vulnerabilities, the check time is 7 days, and for P2 (Low) vulnerabilities, the check time is 14 days.
- For P0 (Critical) vulnerabilities, Tomofun will aim to close the issue within 7 days. For P1 (Medium-High) vulnerabilities, the issue will be closed within 14 days, and for P2 (Low) vulnerabilities, the issue will be closed within 30 days.
- We will do our best to confirm the existence of any vulnerabilities and make the patching process as transparent as possible, including addressing any issues or challenges that may cause delays in the resolution progress.
- We'll keep an open discussion with you on any issues.
- After completing the case, we will update our announcement here.
Type | P0 (Critical) | P1 (High) | P2 (Medium-Low) |
Response | 1 day | 1 day | 1 day |
Verification | 2 days | 7 days | 14 days |
Complete | With 7 days | Within 14 days | Within 30 days |
(P0,P1,P2 were defined by Tomofun)
Report Vulnerabilities
We ask that you follow these guidelines when reporting:
-
Provide Details: Please provide detailed information about the vulnerability, including reproducing steps, potential impact, and any other relevant details.
-
Responsible Disclosure: We ask that you do not publicly disclose the vulnerability until we have had an opportunity to investigate and address it.
-
Contact Information: You can report vulnerabilities by contacting our security team at [support@furbo.com]. Please include "Vulnerability Disclosure" in the subject line.
-
Encryption: If the vulnerability requires submitting sensitive information, please use any means to encrypt and protect the data.
Version
This document Version 1.0 was created on 15 April 2024. They update or review this policy annually. Any updates will be noted in the version notes below.