Security Vulnerability Disclosure Program
Overview
Urban.io is committed to protecting the privacy and security of users of our IoT solutions. Our Vulnerability Disclosure Program is intended to minimize the impact any security flaws have on our products or their users. Our Vulnerability Disclosure Program covers all websites and web applications hosted at the domain https://urban.io and any hardware device products manufactured by Urban.io.
In order to qualify, the vulnerability must exist in the latest public release (including officially released public betas) of device firmware or in our production website or applications.
Only security vulnerabilities will qualify.
Only bugs that lead to security vulnerabilities will be eligible for rewards. Please report any other bugs via our standard support channels available viahttps://support.urban.io or via email [email protected].
Guidelines
Please adhere to the following guidelines in order to be eligible for rewards under this disclosure program:
- You must use your own Urban.io IoT Device Administration account and Urban.io devices.
- Do not permanently modify or delete Urban.io-hosted data.
- Do not intentionally access non-public Urban.io data any more than is necessary to demonstrate the vulnerability.
- Do not DDoS or otherwise disrupt, interrupt or degrade our internal or external services.
- Do not share confidential information obtained from Urban.io, with any third party.
- Social engineering is out of scope. Do not send phishing emails to, or use other social engineering techniques against, anyone, including Urban.io staff, members, vendors, or customers.
Reports
Just as important as discovering security flaws is reporting the findings so that users can protect themselves and vendors can repair their products. Public disclosure of security information enables informed consumer choice and inspires vendors to be truthful about flaws, repair vulnerabilities, and build more secure products. Disclosure and peer review advances the state of the art in security. Researchers can figure out where new technologies need to be developed, and the information can help policymakers understand where problems tend to occur.
On the other hand, vulnerability information can give attackers who were not otherwise sophisticated enough to find the problem on their own the very information they need to exploit a security hole in a computer or system and cause harm. Therefore we ask that you privately report the vulnerability to Urban.io before public disclosure.
Send an email to [email protected] using the GPG key located here, with information about the vulnerability and detailed steps on how to replicate it. Submissions that include detailed information on how to fix the corresponding vulnerability are more likely to receive more valuable rewards.
If you do not want to be publicly thanked by Urban.io by publishing on our Website (or elsewhere), please let us know that you want your submission to be confidential in your report email. We can/will provide rewards for confidential submissions.
We are also happy to accept anonymous vulnerability reports, but of course, we can’t send you our thanks if you report a vulnerability anonymously.
We will make every effort to respond to valid reports within seven business days.
The validity of a vulnerability will be judged at the sole discretion of Urban.io.
Rewards
Rewards are awarded at Urban.io’s sole discretion. Urban.io does not provide cash bounties for reported vulnerabilities but provides non-cash rewards, including:
- Urban.io Merch (T-Shirts & Caps)
- Device Subscriptions for 100 units of any of our IoT devices (your selection) and a Global Gateway for 1, 2 or 3 years (depending on the severity of the vulnerability discovered)
Only the first report we receive about a given vulnerability will be rewarded.
Questions
If you have any questions about our vulnerability disclosure policy, please email to [email protected] using the GPG key located here.
