Tineco Software Vulnerability Disclosure Policy

Introduction

Tineco Intelligent Inc. (hereinafter, "Tineco") seeks to mitigate the risk associated with security vulnerabilities that may be discovered in our products. We aim to accomplish this objective by analyzing reported and discovered vulnerabilities and providing our customers with timely information, analysis, and guidance on appropriate mitigation.

After investigating and validating a reported vulnerability, Tineco will strive to take appropriate remedial measures (if necessary), including but not limited to:

• A new product release, patch or update;
• Corrective procedures to work around or resolve the security issue, or
• Additional guidance customers may use to provide protection against the reported issue(s) in the affected product(s).

Tineco will make every effort to provide the remedy or corrective action in the minimum reasonable time in order to protect our customers and partners. Tineco communicates security information and/or updates to customers through our regular support channels.

Guidelines

We ask that all Finders:

• Comply with all applicable laws; not conduct any activity that may affect the normal operation of Tineco products and services, endanger the personal data security of Tineco users or the cybersecurity; and make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
• Not make use of any Tineco product or service or during collection of vulnerabilities to conduct any activity that, including but not limited to, endangers national security, honor and interest, incites to subvert the state power or overthrow the socialist system, incites to split the country or undermine national unity, advocates terrorism or extremism, propagates ethnic hatred or discrimination, spreads violent or pornographic information, fabricates or disseminates false information to disrupt the economic and social order, or infringes upon the reputation, privacy, intellectual property rights or other lawful rights and interests of any other person.
• Perform research only within the scope set out below.
• Use only identified communication channels for vulnerability information reporting purposes.
• Keep information about any vulnerabilities you've discovered confidential between yourself and Tineco until disclosure is approved by both the finder and Tineco. Until then, you shall not release or disclose any vulnerability related information to avoid endangering personal data and network security.
• Remain communicative and cooperative as we work together through this process.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research related to a vulnerability (except for acts of malice)
• Work with you, when necessary, to understand and resolve the issues associated with the vulnerability quickly (including an initial confirmation of your report within 2 business days of submission)
• Tineco may recognize your contribution if you are the first person to report the issue and we make a product modification or configuration change based on the issue as appropriate.

Scope

• Tineco Products and Software
• Product Documentation

Note: Specific information requested for each type of product is available below.

Out of Scope:

In the interest of the safety of our users, staff, the Internet at-large, and you as a security researcher, the following test types are excluded from scope:

• Findings derived primarily from social engineering (e.g. phishing, vishing)
• Discoveries deriving from applications or systems not included in the "Scope"
• UI and UX bugs with no security implication
• Spelling mistakes
• Network level Denial of Service (DoS/DDoS) vulnerabilities

Tineco expressly prohibits inclusion of the following information in a vulnerability report:

• Personally Identifiable Information (PII)
• Credit card holder data
• Classified data
• Binaries – Please provide source code when possible

Reporting

If you believe you’ve found a security vulnerability in one of our products or platforms, please send the Finding report to us by emailing support@tineco.com. Please include the following details with your report:

• Your name/handle and appliance type or corresponding software identification involved (if you choose)

Disclosure

Prior to disclosure, we will do the following (when applicable):

• Triage and Validate the finding report
• Communicate with you the timeline for mitigation (when applicable) and disclosure (when applicable) (we may request to extend the Embargo Period)
• Communicate with other parties in a Multi-party Coordinated Disclosure
• Communicate the remediation strategy with you
• As appropriate, publication of the disclosure on www.tineco.com/secuiry. In order to comply with the legal obligations associated with network security protection, Tineco will not disclose or discuss any security issues prior to the completion of investigation and any necessary actions.
  
  

Rights and Obligations

Tineco's customers' rights with respect to warranties and support and maintenance of the applicable Tineco product or service are governed solely by, and subject in all respects to, our Standard Terms and Conditions of Sale, and any other applicable agreement between Tineco and each such customer.

The statements in this document shall not be deemed to modify or enlarge any rights of Tineco customers or finders, or create any additional warranties, whether express or implied. Reporting by You of any vulnerability information pursuant to this Policy shall not be construed at any time as creating any form of employment, agency or cooperation relationship between You and Tineco.

Any information provided to Tineco regarding vulnerabilities in Tineco products, including all information in a product vulnerability report, shall become the sole property of Tineco and may be used by Tineco without any duty to account or pay consideration to the provider of such information. The ownership and intellectual property rights associated with such vulnerability report submitted by You shall belong to Tineco. Without the prior written consent of Tineco, You shall not use by Yourself, disclose to any third party or permit any third party to use such vulnerability report and such intellectual property rights.

You are fully aware and agree that, you shall be responsible for and Tineco shall not be liable howsoever for the legality of the manner, methodology, tools and means of research or evaluation of any vulnerability discovered, collected, submitted or released by You. In addition, Tineco does not guarantee the security, accuracy, validity and other uncertain risks of any third party software service and contents thereof. In the case any vulnerability discovered in any third party is beyond the scope of this Policy, please report the same pursuant to such third party's disclosure policies.

Tineco reserves the right to amend this Policy at any time through releasing updated version of this document.