How To Contribute/Report Vulnerabilities
Vulnerability Disclosure Policy
Reporting a Vulnerability in Internet of Dongs or InternetOfDon.gs
We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Internet of Dongs until we’ve had 30 days to respond to the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
Out of scope
Any services hosted by 3rd party providers and services are excluded from scope. These services include:
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to receive:
- Personally identifiable information (PII) inclusing SINs and SSNs
- Credit card holder data
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing firstname.lastname@example.org. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
- Optional Your name/handle if you want recognition in our Hall of Fame.
If you’d like to encrypt the information, please use our GPG Key.
_Thank you bugcrowd for this model VDP
Reporting a Vulnerability in an internet connected adult intimate product
So you want to contribute and report a vulnerability to a vendor? Great!
The site is designed to provide a place for independent researchers to contribute their findings and provide a unified front to the industry.
While we cannot force you to do anything or follow this process, we highly encourage you to submit your findings through the IoD project. By doing this, you make it easier for vendors as then they only deal with one group rather than many different ones.
You will be given credit for your findings if you desire. We are not out to hog any glory here. As well, you will be fully involved in communications with the vendor throughout the process. IoD will just be there to lend a hand to either side. We also will hopefully be able to verify any of your findings independently from our "Dong Library" of devices on hand should the need arise.
Even if you don't have any devices, that doesn't mean you can't help. Since the associated software is usually freely available, there is a fair amount of investigation possible just from static and some dynamic analysis. Just check out our Dong List to see all the devices we've identified the software for. (If we've missed one, please let us know)
DVE Request Process
Vendors and members of the public can submit an email to email@example.com.
Please include the following details with your report:
Description of the location and potential impact of the vulnerability;
A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
Optional Your name/handle if you want recognition in our Hall of Fame.
If you’d like to encrypt the information, please use our GPG Key
We will acknowledge receipt of DVE requests within 14 business day and strive to send regular updates about our progress. Our goal is to determine if the vulnerability is valid and communicate back to the submitter within 30 business days.
If the status of the DVE request is unclear, please feel free to email us for an update.
- If the 3rd party acknowledges the vulnerability and is working on a patch, we will keep vulnerability details confidential until the issue is fixed.
- If possible, we will verify the fix before it is being published.
- In special cases we might release details without a fix to make the public aware. This might, for instance, be the case when a vulnerability is being actively exploited.
- We will treat all deadlines as soft deadlines , however we will strive to be communicative to all parties.
- We will try to coordinate with the affected 3rd party to have a patch released before we release an advisory.
- Resulting advisories will be published in the DVE Reports.