Vulnerability Disclosure Policy
Happy Solutions SG Pte Ltd is committed to ensuring the security and safety of our products and we are glad to receive feedback from the security community as well as security researches in order to improve the security and safety of our products. This policy is intended to give the security community and researchers a clear guideline for conducting vulnerability discovery activities and to convey our method of how to submit discovered vulnerabilities to us. Fostering partnership with the community to receive feedback is our long term goal in order to ensure safety and security for our important customers.
We required that all researchers:
- Make every effort to avoid privacy violations and disruption to the products or devices. Data will also be protected during security testing.
- Communicating and working hand in hand will be the key elements throughout the process.
- Only identified communication channels for vulnerability reporting will be used as stated in this policy.
- Research will only be done within the scope set out below.
- All information will be kept confidential between yourself and Happy Solutions SG Pte Ltd and any disclosure on the vulnerabilities will need approval by Happy Solutions SG Pte Ltd before disclosing.
If you follow these guidelines when reporting an issue to us, we commit to:
- Working together to understand and resolve any issues related to the vulnerability.
- No legal action will be supported and pursue in relationship to your research of a vulnerability
- Happy Solutions SG Pte Ltd will make a product modification or configuration change based on the issued reported by you.
Law should be respected in all researches. No system or target should be attacked due to vulnerability scanning as a pretext, and reporting a vulnerability does not imply being exempt from compliance.
Several actions must be avoided. For example:
- Usage of social engineering
- Usage of malware
- Performing DoS or DDoS attacks
- Compromising the system and maintaining access to it persistently
- Changing the data accessed by exploiting the vulnerability.
- Using the vulnerability in any way beyond proving its existence. To demonstrate that the vulnerability exists, the reporter could use non-intrusive methods. For example, listing a system directory.
- Usage of brute force to gain access to systems
- Sharing vulnerability or any information related to the vulnerability with third parties
Happy Solutions SG Pte Ltd Vulnerability Disclosure Program initially covers the following products:
- QuantumX Zigbee Ethernet Wired Hub (R7071) (Pending)
- QuantumX Zigbee Ethernet Wired Hub (Y-WG004) (Pending)
We would like to ask all security researchers to submit vulnerability reports only for the stated product list. There will be more products added to the list and we intend to increase our scope as we build capacity and experience with this process.
Reporting a vulnerability
If you believe you’ve found a security vulnerability in one of our products or platforms, please send the Finding report to us by emailing to firstname.lastname@example.org. If you do not know what kind of information is required for submission, you can use the template as below.
Proof of Concept:
Report of Crash Dump:
How you find the Bug:
And an acknowledgement that you agreed NOT to publicise or disclose your unofficial report.
QuantumX will acknowledge your report within 3-5 working days and weekly status updates will be provided until the resolution of the reported issues.