Vulnerability Disclosure Policy

Introduction

HibouAir is committed to ensuring the security of its products. The objective of this Vulnerability Disclosure Policy is to provide clarity and transparency to our customers and users. This policy describes the guidelines for conducting and reporting security vulnerabilities in HibouAir products. The policy also describes the steps taken by HibouAir for responding, handling, and disclosing vulnerabilities as they are reported.

If you wish to report a potential security vulnerability, please continue reading the rest of this policy.

Scope

This policy applies to all HibouAir products.

Guidelines

• Notify us as soon as possible after discovering a potential security vulnerability.
• Do not take advantage of a potential security vulnerability, other than to confirm its existence.
• We will not use your contact information for any purpose other than for handling the reported potential security vulnerability.
• Avoid sending attachments if possible.
• We allow anonymous reporting.
• We currently do not offer any reward or bug bounty program.
• Please provide information in English.

Reporting a Vulnerability

Please report any potential security vulnerabilities by submitting information to HibouAir directly via the email address linked below. If you want additional security, use our PGP Public Key.

Email address: security@smartsensordevices.com

PGP Public Key: SSD-Public-Key.txt

Key fingerprint: EB16 B654 A726 8C95 B4A9 9BFB BFAF 78C0 61D1 A28C

Please be as detailed as possible when writing your report to avoid uncertainties in communication. This way we can resolve the issue as quickly as possible.

Provide the following information in your report:

• Contact information
  • Name
  • Organization/Company (optional)
  • Email address
  • PGP key (optional)
• Product name, model number and version
• Vulnerability information
  • Description of the vulnerability and potential exploits, including the type of vulnerability
  • Detailed instructions on how to reproduce the vulnerability step by step

Handling of a Report

Our aim is to respond to you within a reasonable timeframe informing you of our findings. Upon receiving a report you can expect:

1. A reply acknowledging that the report has been received.
2. We will investigate and validate the existence of a potential security vulnerability within 5 days of becoming aware of the report.
   1. If a security vulnerability is confirmed to not exist, or we are unable to reproduce the potential security vulnerability: We will inform the reporter.
   2. If a security vulnerability is confirmed to exist: We will inform the reporter, and may in specific cases, inform our customers and users, and begin working on a solution or mitigation.
3. When a solution or mitigation has been developed and deployed, we will disclose the vulnerability to the reporter and to our customers and users through appropriate channels, by including relevant information about the vulnerability and how to apply the solution or mitigating measures.