Responsible Disclosure Policy



At Yoto, we are committed to providing a safe and secure experience for our users. We understand the importance of collaboration with security researchers and ethical hackers to identify and address potential vulnerabilities in our systems. This responsible disclosure policy outlines the guidelines for reporting security vulnerabilities in Yoto's products and services.

Scope

This responsible disclosure policy applies to all products, services, and platforms offered by Yoto, including the Yoto Player, Yoto Mini, Yoto App, and associated web services.

Reporting Vulnerabilities

If you discover a security vulnerability in any of Yoto's products or services, we encourage you to report it to us promptly. You can report vulnerabilities by filling out the form at the bottom of this page.

When reporting a vulnerability, please provide us with:

  • A detailed description of the vulnerability, including steps to reproduce it.
  • Your contact information (name and email address) for further communication.
  • Any supporting documentation or proof of concept, if applicable.

Response and Resolution

Upon receiving your vulnerability report, our security team will acknowledge receipt within 3 business days. We will promptly investigate the reported issue and take appropriate action to address it.

We aim to provide regular updates on the progress of resolving the vulnerability. Once the issue is resolved, we will notify you and, if appropriate, publicly acknowledge your contribution to improving the security of our products and services.

Guidelines for Responsible Disclosure

  • Do not exploit the vulnerability for any malicious purpose or disclose it publicly before it has been resolved by Yoto.
  • Do not access, modify, or delete any user data without explicit permission. Respect the privacy and rights of our users and comply with all applicable laws and regulations.
  • Securely delete all data retrieved during your research as soon as it’s no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or otherwise required by data protection law)

Rewards

As a token of appreciation for your responsible disclosure, we may offer rewards or acknowledgments, subject to the severity and impact of the reported vulnerability.

Legal Protection

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Yoto or partner organisations to be in breach of any legal obligations.

However, if legal action is initiated by a third party against you and you have complied with this policy, we can take steps to make it known that your actions were conducted in compliance with this policy.

Feedback

We welcome feedback on our responsible disclosure policy and its implementation. If you have any suggestions or concerns, please feel free to contact us using the form below.

Thank you for helping us maintain the security and integrity of Yoto's products and services.

Last Updated: 29 April 2024