Vulnerability Disclosure Policy

MAXI-COSI is committed to ensuring the safety and security of customers who use our products and services. MAXI-COSI maintains a global network of product security officers for developing and deploying advanced best practice security and privacy features for our product and services, as well as for managing security events.

Guidelines for Disclosure

To promote the discovery and reporting of security vulnerabilities and increase user safety, we ask that you follow these guidelines:
•    Only perform the security evaluation on the following domains: https://www.maxi-cosi.co.uk/c/vulnerability-disclosure-policy-form
•    Do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written consent from MAXI-COSI;
•    Do not perform social engineering (including phishing) of MAXI-COSI customer, staff, or contractors.
•    Do not cause a denial of service.
•    Do not send spam to MAXI-COSI customer, staff or contractors.
•    Do not make any physical access attempts against MAXI-COSI property or data centers.

Reporting a Vulnerability

Please disclose your findings using the Contact Security Web Form on our Safety page using the subject “Security Vulnerability Disclosure” from the following manner: Please provide us with valid reference/advisory number and sufficient contact information’s, such as your contact name and/or organization name so that we can get in touch with you.
a)    Issuing MAXI-COSI App, please provide information on which specific product you tested/used, including product name and version number; the technical infrastructure tested/used, including operating system and version (IOS, Windows); and any relevant additional information, such as network configuration details. Screenshots or videos are welcome. 
b)    Issuing MAXI-COSI for the web-based services, please provide the date and time of testing/using, URLs, the browser type and version, as well as the input provided to the application.
Submit one vulnerability per report, and its potential impact. To help us to verify the issue, please provide any additional information, including details on the way used to conduct the testing/using and any relevant test/use configuration.

If you have identified specific threats related to vulnerability, assessed the risk, or have seen vulnerability being exploited, please provide that information via our secured dedicated form on our web site.

When possible, provide the report in English to expedite the process.

DOREL will acknowledge receiving your report within 48H business days.

Your Conduct

Please respond quickly to any communications from us regarding your activities so that we can resolve the issue as soon as possible. Refrain from including sensitive information in any screen shots or other attachments you provide us. Do not perform any vulnerability or similar testing on products that are actively in use. Vulnerability testing should only be performed on devices or systems not currently in use or not intended for use. After vulnerability testing, each device should be retested to ensure no damage has been caused.

The discloser's actions must not be disproportionate, such as:
1) Using social engineering to gain access to the system.
2) Building his or her own backdoor in an information system with the intention of then using it to demonstrate the vulnerability, as doing so can cause additional damages and create unnecessary security risks.
3)  Utilizing a vulnerability further than necessary to establish its existence.
4) Copying, modifying, or deleting data on the system. An alternative for doing so is making directory listing of the system. 
5) Making changes on the system.
6) Repeatedly gaining access to the system or sharing access with others.
7) Using brute force attacks to gain access to the system. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.

MAXI-COSI will provide full credit to researchers who make a vulnerability report or perform testing, in publicly released patch or security fix release information, if requested.

In case you decide to share any information with MAXI-COSI, you agree that the information you submit will be considered as non-proprietary, non-confidential and that MAXI-COSI is allowed to use such information in a manner, in whole or in part, without any restriction. 

Furthermore, you agree that the submit information does not create any rights for you or any obligation for MAXI-COSI.

Thank you for helping keep MAXI-COSI, and our customers safe!

Please report your Vulnerability issue here: 
https://www.maxi-cosi.co.uk/c/vulnerability-disclosure-policy-form

View the Support Period timings here: 
https://www.maxi-cosi.co.uk/c/vulnerability-disclosure-policy-support-period