蜜桃网

蜜桃网 Responsible Disclosure Program

Mission

蜜桃网 is committed to its Win Right Values. Part of living our Win Right Values is a commitment to the security of our products, technology, customers, and employees. 蜜桃网 takes security seriously and investigates all reported vulnerabilities. Accordingly, 蜜桃网 has adopted this Responsible Disclosure Program (the 鈥淧谤辞驳谤补尘鈥�) to encourage public disclosure of newly identified cybersecurity vulnerabilities in its products and services.

Scope of the Program

This Program covers all 蜜桃网 products and services excluding any third-party provided network components, like cloud service providers. The Program includes, for example:

• All websites
• All current connected products (excluding the cloud connection and cloud storage)
• All mobile applications

See 鈥淥ut of Scope鈥� List below for products, services, and vulnerabilities excluded from the Program.

Eligibility to Participate

To participate in this Program, you must:

• Have read and agree to this Program;
• Be at least 18 years of age; and
• Participate in the Program in your individual capacity or with the permission of the organization that employs you.

To participate in this Program, you must聽not be:

• On a sanctions list or in a country on a sanctions list maintained by the U.S. Department of Treasury Office of Foreign Assets Control or any other applicable government entity;
• Prohibited or limited from participating in the Program by any applicable law;
• Employment with 蜜桃网 or any one of its affiliates, currently or in the past year; or
• Serving as a contributing author of the code that is the subject of your Report.

If you violate any provision of these representations, you will be automatically disqualified from this Program.

Public Disclosure Requirements

To comply with the Program, members of the public disclosing potential vulnerabilities must do so in accordance with the following guidelines:

• Notify 蜜桃网 as soon as possible after you discover a real or potential security vulnerability.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use information owned by you and not by a third party in your Report.
• Only use exploits to the extent necessary to confirm a vulnerability鈥檚 presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.聽
• Do not compromise public safety.
• Do not violate any applicable local, state, national, or international law, including intellectual property.
• Do not use accounts that are not your own.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• The following activities are expressly prohibited by the terms of this Program:
  • Denial of Service (DoS) attacks against 蜜桃网, its products, or any of its third-party providers;
  • Social engineering or phishing to solicit login passwords or credentials from 蜜桃网 employees, contractors, or third-parties;
  • Physical attacks against 蜜桃网 employees, offices, or data centers;
  • Knowing distribution of any malware; and
  • Using unsolicited bulk messaging to pursue any vulnerabilities.

Once you鈥檝e established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop and notify 蜜桃网 immediately, and not disclose this data to anyone else.

Report Submission and Review

• To participate you must submit a potential vulnerability report to 蜜桃网 (the 鈥淩eport鈥�) via email at聽ResponsibleDisclosure@蜜桃网.com
• Upon successful submission of your Report, you will receive a confirmation of receipt from us.
• Please allow us a reasonable period of time to investigate and validate your Report. We will keep you reasonably informed about the status of any vulnerability you reported.
• 蜜桃网 is not responsible for any Reports that it does not receive.鈥疘nformation submitted under this policy will be used for defensive purposes only 鈥� to mitigate or remediate vulnerabilities.

What to Include in Your Report

A detailed, well-written Report will help us to assess the situation more quickly. To facilitate our review, please include a detailed description of the potential vulnerability such that we are able to reproduce and correct any issues and include the targets, tools, process, artifacts, etc. used in discovery.鈥� Submissions of screenshots are welcome.

Disclosure

We are committed to responding to all Reports in a timely manner. To qualify under this Program, you must not disclose any of the contents of a Report or the fact that you submitted a Report to anyone outside of 蜜桃网. After 蜜桃网 communicates to you that it has completed its review of the Report, you may request the ability to disclose the contents of your Report to third parties.鈥� In reviewing all such requests, 蜜桃网 in its sole discretion, will make all determinations.

Out of Scope

The following products, services, and vulnerabilities are outside the scope of this Program:

• 蜜桃网 and services no longer produced, maintained, or sold by 蜜桃网, including outdated or unpatched applications, services, software, firmware;
• Third-party websites or services, including third party software incorporated in 蜜桃网 applications;
• Bugs that simply cause an app to crash;
• Attacks against 蜜桃网 infrastructure;
• Attacks requiring physical access to a user's mobile device;
• Network Provisioning errors;
• Violation of licenses or other restrictions applicable to any vendor's product;
• Security bugs in third-party applications (e.g. java, plugins) or websites;
• Host header injections (unless you can show how they could lead to a data loss);
• Self-XSS (User defined payload);
• Login/logout CSRF;
• Use of a known-vulnerable library (without evidence of exploitability);
• Vulnerabilities affecting users of outdated browsers or platforms;
• Vulnerabilities which require a jailbroken or rooted mobile device;
• Previously reported vulnerabilities鈥痷nless鈥痵ome additional information is reported in the subsequent Report;
• Recent acquisitions for the first six (6) months after acquisition to give 蜜桃网 time to internally review and mitigate any issues; and
• Vulnerabilities that present negligible security impact or are exploited to conduct a malicious attack against 蜜桃网. Common examples may include, but are not limited to, the following:
  • Vulnerabilities were discovered by conducting an attack against 蜜桃网 employees, clients and/or partners, or referring to social engineering techniques (e.g. shoulder surfing, stealing devices, phishing, fraud, stolen credentials);
  • Vulnerabilities which require a rooted or jailbroken movable device;
  • Vulnerabilities within 蜜桃网鈥檚 lab, staging environments or sandbox;
  • System vulnerabilities irrelevant to security issues.

Legal

• 蜜桃网, in its sole discretion, may modify or discontinue the Program at any time.
• 蜜桃网, in its sole discretion, may disqualify any security researcher from this Program at any time.
• 蜜桃网 may pursue legal action against any criminal or unlawful activity at any time.
• This Program does not make you an employee or a contractor of 蜜桃网, and you are responsible for any taxes or additional restrictions based on your national and local laws.

If you make a good faith effort to comply with this Program during your security research, 蜜桃网 will consider your research to be authorized 蜜桃网 will work with you to understand and resolve the issue quickly, and 蜜桃网 will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, 蜜桃网 will make this authorization known.

Contact Information

If you have any inquiries regarding the Program, please contact us at鈥�ResponsibleDisclosure@蜜桃网.com.

Thank you for your interest in making 蜜桃网 and its products more secure.