Update
Thank you for your interest in our vulnerability disclosure program. We have temporarily paused the program to review and enhance our processes. We appreciate your patience and understanding, and we will provide an update as soon as possible. Please be assured that we remain committed to the security of our systems and will continue to work diligently to safeguard our users.
Our Commitment
At CreativeRobotics, we prioritize the security, privacy, and integrity of our users, systems, networks, and products. We value the efforts of security researchers in helping us improve our security posture. Our goal is to foster a transparent and secure environment for reporting vulnerabilities.
Scope
This policy applies to all CreativeRobotics’ products and platforms, including:
- Web Applications: CreativeRobotics platform, client websites, and web-based tools.
- Mobile Applications: iOS and Android apps developed or maintained by CreativeRobotics.
- APIs: All APIs provided by CreativeRobotics.
Domains
creativerobotics.online
Out of Scope
The following issues are not within the scope of our vulnerability disclosure program:
- Third-party services or domains used by CreativeRobotics.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
- Automation scripts and tools.
- UI/UX issues and spelling mistakes.
- Issues affecting outdated versions of browsers or operating systems.
- Client-side issues that do not impact our mobile applications.
- General best practice concerns and non-security-related bugs.
Rules
- Avoid non-technical attacks such as social engineering, phishing, or physical attacks.
- Do not disclose vulnerabilities publicly.
- Do not tamper with sensitive data or disrupt the functionality of our systems.
- Employees and their associates are not eligible for rewards.
- Multiple vulnerabilities with the same root cause will be rewarded with one bounty only and will be solely decided by the CreativeRobotics management.
Legal Assurance
We will not pursue legal action for accidental, good-faith violations of this policy, provided no harm is done. Activities consistent with this policy are considered authorized under relevant laws.
Reporting Process
To report a vulnerability, please use the following process:
Send your report to [email protected].
Template
Include the following information in your report:
Subject
<Severity> | <Name of the Vulnerability>
Body
Individual Details
- Full Name:
- Mobile Number:
- Public Profile:
Bug Details:
- Name of the Vulnerability:
- Affected Areas:
- Impact:
- Severity:
- Steps to Reproduce:
- Suggested Remediation:
Attachments
- Include proof-of-concept code or screenshots.
Preferences & Prioritization
We Value
- First-time responsible disclosure of unknown issues.
- Separate reports for multiple issues.
- Well-documented reports in English.
- Proof-of-concept code for faster triage.
Expectations
- Timely response (within 7 business days).
- Transparency about remediation timelines and challenges.
- Open communication during the review process.
- Credit upon validation and resolution of the vulnerability.
Public Disclosure Policy
By default, our program is in “PUBLIC NON-DISCLOSURE” mode, meaning:
“THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. VULNERABILITIES FOUND MUST NOT BE RELEASED TO THE PUBLIC. FAILURE TO COMPLY MAY RESULT IN LEGAL PENALTIES.”
Contact
For any queries or further information, please contact:
Thank you for helping us enhance our security and for your commitment to responsible disclosure.