Tedee Sp. z o. o., with the registered office at Karola Bohdanowicza 21/57 Street, 02-127 Warsaw, Poland (“Tedee”) is committed to resolving vulnerabilities to meet the needs of its customers and the broader technology community.
This document describes Tedee’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.
Tedee encourages you to contact us to report potential security issues in our systems by following this policy and declares that it will not pursue legal action related to your activities of identifying vulnerabilities on our systems as long as you follow the guidelines in this policy.
§ 2 Scope of the Policy
This Policy applies to all websites, applications or services distributed by or hosted by Tedee or served under a domain name owned by Tedee.
If you believe you have discovered a vulnerability, i.e. any type of:
weakness of Tedee software, hardware, or online service that can be exploited;
breach of Tedee software, hardware, or online service that threatens the integrity, confidentiality or availability of the company data or third party data;
existence of ‘copycat’ applications which appear to originate from Tedee;
occurrence of phishing attacks where the sender presents him/herself as Tedee representative;
other activity or data which may constitute threat to Tedee or its customers (“Vulnerability”),
please provide Tedee with the information specified in § 3 below as soon as possible.
Only conduct testing activities to the extent necessary to confirm a Vulnerability’s presence. During the process of discovering, confirming or verifying the Vulnerability it is strictly forbidden to:
exploit any Vulnerabilities or issues you uncover. For instance, avoid downloading excessive data to showcase the vulnerability, or tampering with others’ data;
utilize any non-harmless exploits to confirm the existence of a Vulnerability;
Disclose any downloaded data or the discovered Vulnerability to the public or third parties until it’s resolved;
access any sensitive information such as Personally Identifiable Information (PII), medical, financial, proprietary, or trade secrets. Notify us promptly and refrain from disclosing any acquired data to others.
§ 3 Reporting Vulnerability
In order to inform Tedee about suspected Vulnerability you can contact us either:
by traditional mail, sending the results of your discovery to ‘Tedee Sp. z o.o., Karola Bohdanowicza Street 21/57, 02-127 Warsaw, Poland’;
by filling out the encrypted online vulnerability disclosure form available at https://tedee.com/[WW1]
In order for us to be able to address the suspected Vulnerability your message should contain the following information:
affected area of the suspected vulnerability (tedee app, tedee smart check-in app, tedee.com website, tedee devices);
what type of measures were necessary to access the suspected security vulnerability? Remote/collaborative third-party/physical access to the device?
technical description — provide what actions were being performed and the result in as much detail as possible. Provide step-by-step instructions on how to access the suspected vulnerability;
(*) sample code — if possible, provide the code that was used in testing to access the suspected vulnerability;
end result of accessing vulnerability (what was achieved through accessing the suspected vulnerability) (“Disclosure”).
When submitting Disclosure via email, to ensure confidentiality, we encourage you to encrypt any sensitive information you send to us. We are equipped to receive messages encrypted using S/MIME.
Tedee does not offer any remuneration or prize for discovering confirmed Vulnerability. However, we will endeavor to express gratitude to security researchers who dedicate time and effort to uncover and report Vulnerabilities to us in accordance with this Policy whenever possible.
§ 4 Disclosure Verification
Within 5 business days Tedee will notify you about receiving your Disclosure. Should you not receive feedback from Tedee within the above timeframe, please contact us at [email protected].
Where possible, Tedee shall inform you about the results of Disclosure verification and means implemented to fix the confirmed Vulnerability.
Information about identification and remediation of any confirmed Vulnerability may be disclosed by way of:
distributing information to customers about security vulnerabilities via e-mail.
In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability though there can be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.
As each security vulnerability case is different, we can take alternative actions in connection with issuing security notices. Tedee can determine to accelerate or delay the release of a notice or not issue a notice at all. Tedee does not guarantee that security notices will be issued for any or all security issues customers can consider significant or that notices will be issued on any specific timetable.
distributing information to public newsgroups or electronic mailing lists.
This is done on an ad hoc basis, depending on how Tedee perceives the relevance of each notice to each particular forum.
All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.
Notwithstanding to the above, Tedee reserves the right to not disclose the above information in order to protect the integrity and safety of its internal software, hardware or online services.
§ 5 Other provisions
Tedee does not endorse, condone, or in any way sanction (explicitly or implicitly) any individual, group, partnership, or entity to conduct security research or disclose vulnerabilities or threats on or affecting Tedee’s systems in a manner contrary to this Policy or legal regulations. Engaging in activities that contravene this policy or relevant laws may result in potential criminal and/or civil consequences.
The [email protected] email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please visit https://tedee.com/get-support/.
Tedee may modify the terms of this Policy or terminate the policy at any time.
