Version: 27-Nov-2023

1. Introduction

VTech is committed to ensuring the security of the customers by protecting their personal information from unwarranted disclosure. This policy is intended to give security researchers clear guidelines on conducting vulnerability discovery activities and identification of the vulnerabilities discovered that we would like to receive from security researchers.

2. Out of Scope Vulnerabilities

This Policy does not apply to assets or other equipment owned by third parties. Vulnerabilities discovered or suspected in respect of the out-of-scope assets or equipment should be reported to the appropriate vendor or applicable authority.

3. Guidelines

To participate in the VTech vulnerability disclosure programme, participants must:-

• comply with all applicable laws;
• comply with this policy and any other applicable agreements. This policy shall always prevail in case of any discrepancy or inconsistency with any other applicable agreements;
• share the details of the security issue with VTech;
• send vulnerability reports or security concerns to the email specified in this policy;
• allow a reasonable time for VTech to analyse and/or resolve the issue before disclosing it publicly;
• not access or modify VTech or user data, without explicit permission of the owner and contact VTech immediately if user data is inadvertently encountered;
• only interact with accounts set up or test accounts provided for security research purposes;
• avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service);
• not perform exfiltration of data; and
• not engage in extortion.

4. Reporting a Vulnerability or Security Concern

Prepared reports with any discovered vulnerabilities or suspected security concerns, should be sent by email to VulnerabilityReporting@vtech.com. We will investigate and make every effort to correct the vulnerability and/or address concerns. In order to help VTech follow up concerns, we request reports in English (if possible), including the following information:

• the location the product was purchased;
• the location the vulnerability or security concern was discovered;
• the potential impact of the vulnerability or security concern;
• a detailed description of the steps needed to reproduce the vulnerability or security concern, which may include proof of concept scripts and screenshots; and
• steps that can mitigate the vulnerability or security concern.

Reports may be submitted anonymously. You will receive an acknowledgement of the receipt of a security issues report as soon as practicable and status updates until the resolution of the reported security issues.

5. Disclosure to Third Parties

If the issue reported affects a third-party library or other vendor, we reserve the right to forward the relevant details to that party without giving prior notice.

6. Authorization

If a security researcher complies with this policy in conducting vulnerability discovery activities, we will consider those activities to be authorised. We will not initiate nor recommend any law enforcement or civil actions related to such activities.

We do not authorise, permit, or otherwise allow (expressly or implicitly) any person or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. Any activities that are inconsistent with this policy or the law may lead to criminal and/or civil liabilities.

If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this Policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, you are encouraged to discuss with us before you go any further. You may contact us by sending an email to VulnerabilityReporting@vtech.com.