
Subscription orders can be cancelled at anytime. Free delivery on all subsequent subscription orders. Find out more about subscriptions.
They’re easy and fuss free
Your products are automatically sent to you
You save up to 10% when you sign up for a subscription
You can cancel at any time
Coordinated Vulnerability Disclosure Statement
Mayborn is committed to ensuring the safety and security of our products and services. Mayborn develops and deploys advanced best practice security and privacy features for our products and services. Mayborn operates under a global coordinated vulnerability disclosure policy, which guides our incident management and all risk assessment activities relating to potential security and privacy vulnerabilities identified in our products and services. Mayborn supports coordinated vulnerability disclosure and encourages vulnerability testing by security researchers and by customers, with responsible reporting to Mayborn.
Coordinated Vulnerability Disclosure Process
When submitting reports of vulnerability findings, please ensure the following procedures are followed, for safe and efficient support.
Reporting Procedure:
Please email submissions to us at [email protected]
Please include in the e-mail subject the acronym: ‘CVD’ and provide us with your reference/advisory number and sufficient contact information, such as your organisation and contact name so that we can get in touch with you.
Providing a technical description of the concern or vulnerability:
To help us to verify the issue, please provide any additional information, including details on the tools used to conduct the testing and any relevant test configurations. If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such.
If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information.
When possible provide the report in English to expedite the process.
Product Security Vulnerability Report Assessment and Action:
Vulnerability Risk Classification
Negligible Risk
|
1. Bug problems unrelated to security, including but not limited to slow opening of web pages and disordered styles. 2. The report submitted is too simple to be reproduced according to the report content, including but not limited to the vulnerabilities that cannot be reproduced through repeated communication with the vulnerability reviewer. 3. Products, APPs or modules not under maintenance Vulnerabilities of general protocols such as WIFI, MQTT, BLE, and Zigbee |
Low Risk
|
1. Vulnerabilities that can be exploited for phishing attacks, including but not limited to URL redirection vulnerabilities. 2. Logic design defects of the system. 3. Minor information disclosure vulnerabilities, including but not limited to path disclosure, .git file disclosure, and business log content of the service side. |
Medium Risk
|
1. General information disclosure, including but not limited to plaintext storage password of mobile client end, download of source code compressed package containing sensitive information of server or database, etc. 2. Logic design defects of the system, such as bypassing commodity postage, payment vulnerabilities, etc. |
High Risk
|
1. Vulnerabilities directly leading to the disclosure of sensitive information of the online server, including but not limited to disclosure of source code of the core system, disclosure of information related to user account payment or the downloading of sensitive log files of the server. 2. Vulnerabilities that affect the normal operation of online services, such as denial of service of the application layer. 3. Logical design defects in the system, which can lead to unauthorised operation, such as unauthorised access to sensitive information. |
Critical Risk |
1. Vulnerabilities of remote direct access to system permissions (server permissions, client permissions, intelligent devices), including but not limited to arbitrary code execution, arbitrary command execution, and uploading and adoption of Trojan horses. 2. Mobile terminal: vulnerabilities of remote code execution. 3. Device terminal: vulnerabilities causing a permanent denial of service on the device, including but not limited to permanent denial of service attack (the device can no longer be used: it is completely permanently damaged, or the entire system needs to be rewritten) initiated remotely by the system device, that physical contact with the device is not allowed during an attack, and that the attack needs to be replicated in batches quickly
|
We may seek your ongoing assistance in addressing the vulnerability concern during the review and resolution period, up to 90 days, unless otherwise prohibited
Notice:
In case you decide to share any information with Mayborn, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Mayborn is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Mayborn.
Last update: 29/04/2024