Vulnerability Disclosure Policy - tonies Group

We consider the safety and security of our customers as one of the top priorities. Therefore, we design and make products and services with the best quality and reliability possible. This vulnerability disclosure policy (“VDP”) describes tonies®’ policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.

Everyone is encouraged to report identified vulnerabilities, regardless of the type of service or product. Researchers, partners, CERTS, customers or any other source are welcome to report the vulnerabilities.

About the company

We created tonies® with one thing in mind: our kids. Childhood should be a magical time full of big adventures and loveable memories. We wanted to create a way for kids to experience storytelling in a digital age, that stimulates their imagination in ways that a screen can’t. We made the Toniebox for kids (and parents) who want to feel good about their entertainment at home and to bring back imagination in its purest form. We built tonies® to be an immersive, wondrous experience you can feel good about, but more importantly a community you can be part of now and for many years to come.

Reporting & Disclosure Policy

tonies® believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Requirements

To ensure a submission is acceptable you must follow some rules:

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every reasonable effort to quickly resolve the issue.

  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. And be aware that disclosure is not allowed without the written permission of tonies®.

  • Please avoid DDOSing us or causing a service disruption while testing our platform. And take care of not endangering the privacy of our members.

  • Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.

  • If you find the same vulnerability several times, please create only one report and eventually use comments. You’ll be rewarded accordingly to your findings.

  • Do not cause harm to tonies, tonies customers or partners

  • Do not keep any copies of any non-public tonies information or share such information with any third party

  • Do not conduct social engineering, spam, or phishing attacks

  • Do not use or alter any data you might access during discovery

Please act in good faith by conducting your activities under this policy and reporting the vulnerability with us promptly, in sufficient detail for us to determine the validity of the vulnerability, and without coercion, dishonesty, or fraudulent intent.

Violation of any of these rules can result in ineligibility of the report, and may also result in tonies® taking further action, including but not limited to, bringing legal claims against you.

tonies® shall in its sole discretion decide what, if any, bounties will be provided for any findings reported. You will not be reimbursed for expenses related to vulnerability research (e.g., holding domains, S3 buckets).

Contacting tonies®' security team & sending reports

The preferred method for contacting tonies® security team is by sending an email to sec@boxine.de if you have identified a potential security vulnerability with one of our products or our services.

To facilitate our management of the vulnerability, we expect some well-written reports in English or German containing the following information:

  • Time and date

    of discovery

  • URL, browser information

    including type and version and input required to reproduce the vulnerability

  • Technical Description

    — provide what actions were being performed and the result in as much detail as possible

  • Proof

    of exploitability - e.g. screenshot, video

  • Sample Code

    — if possible, provide code that was used in testing to create the vulnerability

  • Reporting’s party Contact Information

    — best method to reach you

  • Threat/Risk Assessment

    — contains details of the identified threats and/or risks including a risk level (high, medium, low) for assessment result

  • Software Configuration

    — details to computer/device configuration at time of vulnerability

  • Relevant information about connected devices

    if vulnerability arises during interaction. When a secondary device triggers the vulnerability, these details should be provided.

Triage & follow-up

After your incident report is received, the appropriate personnel will contact you to follow-up. To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via e-mail. We are equipped to receive messages encrypted using PGP. Our PGP public key can be used to send encrypted email.

tonies® attempts to acknowledge receipt to all submitted reports within seven days.

Then tonies® will engage in an open dialog to discuss issues and notify you at each stage of the investigation.

tonies® retains discretion to determine whether to accept a report. For example, tonies® will not accept vulnerabilities with minimal security impact or low exploitability, vulnerabilities beyond tonies®’control, vulnerabilities discoverable through automated scans which have not been verified manually, or vulnerabilities related to a violation of the policy requirements.

Rewards

The following reward tables are based on tonies® severity assessment.

  • critical: 3000€*

  • high: 1500€*

  • mid: 500€*

  • low: 0€

* Maximum reward for the severity

You can hand in your own assessment of severity of course, which we will review.

For the assessment we are using the CVSS 3.1 Scoring System (e.g https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)

Scopes

In general, tonies® websites and apps are part of this policy. Please refer to the detailed list of scope if you have a doubt.

However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.

In Scope

Out of Scope

  • All known CVEs in 3rd party applications (e.g. Keycloak)

  • Self XSS

  • Any vulnerability that requires the attacker to have full access over the victim's browser

  • Brute force passwords across multiple accounts. (Password Spraying Attack)

  • Lack of expiration on auth tokens

  • Vulnerabilities affecting outdated browsers - we only consider reports in the latest stable browser versions for Safari, Firefox, Chrome, Edge, IE

  • No rate-limiting enforced

  • Recently disclosed 0-day vulnerabilities

  • Logout and other instances of low-severity CSRF

  • Enumeration/account oracles: possibility to enumerate phone numbers, emails, GUID etc and receive indication that it exists

  • Reports from automated web vulnerability scanners (Acunetix, Vega etc) that has not been validated

  • Invalid or missing Sender Policy Framework (SPF) records (incomplete or missing SPF/DKIM/DMARC)

  • However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.

  • web_application https://tonies.us / https://us.tonies.com is hosted by a third party

  • web_application Any website that is not listed explicitly in the scope.