Vulnerability Disclosure Policy

The following issues are not included:

1. Bugs that do not involve security issues. This includes, but is not limited to, product functionality defects, garbled text on web pages, style inconsistencies, directory traversal of static files, application compatibility issues, and so forth.
2. Vulnerabilities that cannot be exploited. This includes CSRF vulnerabilities without sensitive operations, meaningless disclosure of exception information and intranet IP addresses/domain names.
3. Other issues that cannot directly reflect vulnerabilities, including but not limited to issues that are purely user speculation.

Low-risk security issues:

Vulnerabilities that can cause some impact but cannot directly obtain device permissions or compromise data security, such as non-critical information disclosure, URL redirection, relatively difficult-to-exploit XSS vulnerabilities, common CSRF vulnerabilities, and so on.

Medium-risk security issues:

1. Vulnerabilities requiring interaction to obtain user identity information. This includes but is not limited to stored XSS vulnerabilities;
2. Arbitrary text operation vulnerabilities, including but not limited to any file reading, writing, deletion, downloading and other operations;
3. Unauthorized access, including but not limited to bypassing restrictions to modify user information and perform user operations;
4. Relatively serious information leakage vulnerabilities. This includes sensitive information file leakage, such as DB connection passwords.

High-risk security issues:

1. Vulnerabilities that can directly obtain business server permissions, including but not limited to arbitrary command execution, webshell upload, and arbitrary code execution;
2. Vulnerabilities that directly lead to serious information leakage, including but not limited to SQL injection vulnerabilities in core database;
3. Logical vulnerabilities that directly lead to serious impacts, including but not limited to any account password change vulnerability;
4. Vulnerabilities that directly steal user identity information in batches, including but not limited to SQL injection;
5. Unauthorized access, including but not limited to bypassing authentication to access the backend.

Serious safety issues:

1. Directly obtain core system permissions. These vulnerabilities that can directly harm the intranet include but are not limited to command execution, remote overflow, etc.
2. Vulnerabilities that can obtain a large amount of user core data;
3. Logical vulnerabilities that can directly lead to serious impacts, including but not limited to vulnerabilities that contain serious logic errors, can obtain large amounts of benefits and cause losses to the company and users.

How to report a security issue:

If you find a vulnerability in a Beatbot Security product or have a security issue to report, please fill out the vulnerability report form.

When receiving a vulnerability report, we will take a series of steps to resolve the issue internally. All reported vulnerabilities are scored according to the Beatbot IOT Vulnerability Rating Criteria.

After receiving the report, we will acknowledge it within 3 business days and conduct an initial assessment. Evaluation will be completed within 7 business days, and we will either fix the vulnerability or devise a remediation plan.

When to fix:

Critical risk vulnerabilities will be fixed within 7 business days. High and medium risk vulnerabilities will be fixed within 30 business days. Low risk vulnerabilities will be fixed within 180 business days. Please note that some vulnerabilities may be subject to environmental or hardware limitations. Final timelines will be determined based on actual circumstances.