Vulnerability Disclosure Policy
Brand Commitment
At Cybex GmbH, we are not only providing outstanding safety and security when it comes to our products, but we are also devoted to protect our customers and partners from cyber risks and to build relationships based on trust and confidence.
Therefore, ensuring data privacy and digital product security are of utmost importance to the company. We want to encourage customers, partners, and security researchers who share the same values, to report in a good-faith any digital asset vulnerability they discover.
Cybex GmbH values and appreciates the efforts of security researchers and their reporting, as it helps improve service security and reliability. This policy outlines the systems and research covered, the process for reporting vulnerabilities, and submission turnaround timeframes.
Please note that this policy is subject to change, so it should be reviewed regularly.
Scope
This policy only applies to publicly accessible digital assets, applications, and platforms owned and operated by Cybex GmbH and limited to below domains and subdomains:
- *.cybex-online.com
- *.goodbabyprod.com
- *.gb-online.com
- *.columbustp.com
- *.goodbaby.eu
- *.rollplay.com
- gbinternational.com.hk
- mycbx.com
- cybex.link
- cybex-online.com
If third party services are affected as a part of the research, we cannot authorize you to test those systems. If in doubt, ask us before testing a digital asses, application or platform.
Safe Harbor
Cybex GmbH requests responsible vulnerability disclosure, even if you participate voluntarily in the vulnerability disclosure program with good intentions. The company promises not to take or support any legal action against any researcher who follows this policy while conducting vulnerability research. This does not apply if recognizable criminal or intelligence intentions are pursued.
If a third party takes legal action against a researcher, even though he was acting in accordance with this policy, Cybex GmbH will ensure that compliance with the policy is communicated. Researchers should submit a report using the official channel if they have any concerns about compliance before they further proceed with the research.
In addition, this policy does not exempt researchers from applicable federal, state, and local hacking and privacy laws.
Guidelines
By participating in the program with good intentions and agreeing to the rules, researchers pledge to:
- Research only systems within the policy's scope.
- Avoid system or application interruption.
- Respect others' privacy by not destroying, exfiltrating, disclosing or abusing in any other way the data which might become accessible during the research.
- Not exploit any vulnerabilities discovered; advance steps such as persistence, lateral movement, data exfiltration, modification or deletion, code upload etc. are not allowed.
- Not to disclose a vulnerability to third persons or institutions unless fully coordinated with and approved by Cybex GmbH in a written form.
- Not perform any phishing, spamming, social engineering, or denial-of-service attacks.
- Report vulnerabilities promptly through the official channels defined in the policy. Also provide a contact option for queries.
Our Promise
Cybex GmbH promises to acknowledge report submission within 10 business days, confirm vulnerability existence, provide transparency about steps and timelines to close it, and coordinate public disclosure of confirmed vulnerabilities if applicable.
We will keep your report and personal data confidential and share it only to the extent necessary to fix the vulnerability.
Reporting Details
Researchers should report vulnerabilities to it-security@cybex-online.com.
By adhering to these principles, you can enhance the likelihood of your report being acknowledged and approved:
- Provide complete details concerning the affected asset(s).
- Submit a proof of concept, comprising explicit details of the vulnerabilities replication, along with timestamps and screen captures of the problem.
- Elaborate on the reasons why the potential vulnerability could have an impact on the concerned service and to what degree.
- Refrain from submitting automated tool output only, as such reports are unlikely to be considered for processing.