Vulnerability Disclosure Policy - tonies Group
We consider the safety and security of our customers as one of the top priorities. Therefore, we design and make products and services with the best quality and reliability possible. This vulnerability disclosure policy (“VDP”) describes tonies®’ policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.
Everyone is encouraged to report identified vulnerabilities, regardless of the type of service or product. Researchers, partners, CERTS, customers or any other source are welcome to report the vulnerabilities.
About the company
We created tonies® with one thing in mind: our kids. Childhood should be a magical time full of big adventures and loveable memories. We wanted to create a way for kids to experience storytelling in a digital age, that stimulates their imagination in ways that a screen can’t. We made the Toniebox for kids (and parents) who want to feel good about their entertainment at home and to bring back imagination in its purest form. We built tonies® to be an immersive, wondrous experience you can feel good about, but more importantly a community you can be part of now and for many years to come.
Reporting & Disclosure Policy
tonies® believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Requirements
To ensure a submission is acceptable you must follow some rules:
Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every reasonable effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. And be aware that disclosure is not allowed without the written permission of tonies®.
Please avoid DDOSing us or causing a service disruption while testing our platform. And take care of not endangering the privacy of our members.
Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.
If you find the same vulnerability several times, please create only one report and eventually use comments. You’ll be rewarded accordingly to your findings.
Do not cause harm to tonies, tonies customers or partners
Do not keep any copies of any non-public tonies information or share such information with any third party
Do not conduct social engineering, spam, or phishing attacks
Do not use or alter any data you might access during discovery
Please act in good faith by conducting your activities under this policy and reporting the vulnerability with us promptly, in sufficient detail for us to determine the validity of the vulnerability, and without coercion, dishonesty, or fraudulent intent.
Violation of any of these rules can result in ineligibility of the report, and may also result in tonies® taking further action, including but not limited to, bringing legal claims against you.
tonies® shall in its sole discretion decide what, if any, bounties will be provided for any findings reported. You will not be reimbursed for expenses related to vulnerability research (e.g., holding domains, S3 buckets).
Contacting tonies®' security team & sending reports
The preferred method for contacting tonies® security team is by sending an email to sec@boxine.de if you have identified a potential security vulnerability with one of our products or our services.
To facilitate our management of the vulnerability, we expect some well-written reports in English or German containing the following information:
Time and date
of discovery
URL, browser information
including type and version and input required to reproduce the vulnerability
Technical Description
— provide what actions were being performed and the result in as much detail as possible
Proof
of exploitability - e.g. screenshot, video
Sample Code
— if possible, provide code that was used in testing to create the vulnerability
Reporting’s party Contact Information
— best method to reach you
Threat/Risk Assessment
— contains details of the identified threats and/or risks including a risk level (high, medium, low) for assessment result
Software Configuration
— details to computer/device configuration at time of vulnerability
Relevant information about connected devices
if vulnerability arises during interaction. When a secondary device triggers the vulnerability, these details should be provided.
Triage & follow-up
After your incident report is received, the appropriate personnel will contact you to follow-up. To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via e-mail. We are equipped to receive messages encrypted using PGP. Our PGP public key can be used to send encrypted email.
tonies® attempts to acknowledge receipt to all submitted reports within seven days.
Then tonies® will engage in an open dialog to discuss issues and notify you at each stage of the investigation.
tonies® retains discretion to determine whether to accept a report. For example, tonies® will not accept vulnerabilities with minimal security impact or low exploitability, vulnerabilities beyond tonies®’control, vulnerabilities discoverable through automated scans which have not been verified manually, or vulnerabilities related to a violation of the policy requirements.
Rewards
The following reward tables are based on tonies® severity assessment.
critical: 3000€*
high: 1500€*
mid: 500€*
low: 0€
* Maximum reward for the severity
You can hand in your own assessment of severity of course, which we will review.
For the assessment we are using the CVSS 3.1 Scoring System (e.g https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
Scopes
In general, tonies® websites and apps are part of this policy. Please refer to the detailed list of scope if you have a doubt.
However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.
In Scope
android_application https://play.google.com/store/apps/details?id=com.tonies.app
ios_application https://apps.apple.com/de/app/mytonies/id1504496868
web_application https://keycloak.prod.tonie.cloud, https://login.tonies.com
web_application https://octonie.prod.boxine.net
web_application https://sso.prod.tonie.cloud
web_application https://admin.stage.tonie.cloud
web_application https://ir.tonies.com
web_application https://www.toniebox-setup.com
web_application https://tonies.com
web_application https://my.tonies.com
web_application https://b2b.tonies.com
web_application https://refund.tonies.com
web_application https://fc07.boxine.net
web_application https://mts-01.boxine.net
ip_range 159.69.129.82/32, 159.69.129.78/32, 116.202.165.210/32, 159.69.129.76/32
ip_range 18.196.68.77/32
ip_range 49.12.81.51/32, 49.12.81.48/32
ip_range 159.69.129.64/27
ip_range 116.202.69.96/27
ip_range 162.55.2.136/32, 162.55.2.216/32, 162.55.2.135/32, 162.55.2.134/32, 162.55.2.137/32
ip_range 162.55.83.17/32, 116.202.69.113/32, 116.202.69.115/32
Out of Scope
All known CVEs in 3rd party applications (e.g. Keycloak)
Self XSS
Any vulnerability that requires the attacker to have full access over the victim's browser
Brute force passwords across multiple accounts. (Password Spraying Attack)
Lack of expiration on auth tokens
Vulnerabilities affecting outdated browsers - we only consider reports in the latest stable browser versions for Safari, Firefox, Chrome, Edge, IE
No rate-limiting enforced
Recently disclosed 0-day vulnerabilities
Logout and other instances of low-severity CSRF
Enumeration/account oracles: possibility to enumerate phone numbers, emails, GUID etc and receive indication that it exists
Reports from automated web vulnerability scanners (Acunetix, Vega etc) that has not been validated
Invalid or missing Sender Policy Framework (SPF) records (incomplete or missing SPF/DKIM/DMARC)
However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.
web_application https://tonies.us / https://us.tonies.com is hosted by a third party
web_application Any website that is not listed explicitly in the scope.