miko-device-and-services-vulnerability-reporting-and-bug-bounty-progra

Miko Device and Services Vulnerability Reporting and Bug Bounty Program

Safeguarding our customersʼ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. This page describes our practice for addressing potential vulnerabilities in any aspect of product and services and the Miko Bug Bounty Program is designed to recognize security research on our device Miko 3, Miko Mini , Miko Chess , associated cloud services and web/mobile applications through bounty rewards.
Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Miko Devices and Services Bug Bounty Program.

Reporting of security or privacy vulnerability

Initial Acknowledgment: Miko strives to acknowledge receipt of all submitted vulnerability reports within 1 month of submission.

Resolution Timeline: We aim to evaluate and prioritize all reported issues promptly, and will provide status updates throughout the resolution process. Resolution timelines may vary depending on the complexity and severity of the issue.

If you believe that youʼve discovered a security or privacy vulnerability that affects Miko family of devices, softwares or services, please report it directly to us at product-security@miko.ai. Anyone can submit a report, including security researchers, developers, and customers. We evaluate all eligible research for Miko Security Bounty rewards.
A high-quality research report is critical to help us confirm and address an issue more quickly, and could help you receive an MIKO Security Bounty reward.

A complete report includes:

Description of product and software version(s) that you believe are affected;
A detailed technical description of the issue(s) and the behavior you observed, as well as the behavior that you expected
A numbered list of steps required to reproduce the issue
A working proof of concept (PoC) or exploit that consistently triggers the vulnerability.
Details of any related issues or variants
Optionally, you can also provide patch/mitigation suggestions.

MIKO strongly recommends including a working exploit, rather than a basic proof of concept. We accept reports without this information, but reports with more details typically receive higher bounty rewards. If your report doesnʼt include the necessary information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it for a bounty.
Use the Miko Product Security PGP key to encrypt sensitive information and encrypt any attachments and files that you share with us to product- security@miko.ai

You can obtain a version of GPG Suite from GPGTools. Additionally, GnuPG is available as freeware.
Miko Product Security key

This is our GPG key which is valid until April 29, 2025
Key ID: A26D8581
Key Type: RSA3072
RSA Expires: 2026-04-29
Key Size: 2.48KB
Fingerprint: 4980 4858 9E56 B64A 9B69 6F0D 41C2 922A A26D 8581

UserID : Miko Product Security

When we generate a new key, it will be available from this web page. Our previous PGP keys are available upon request to facilitate the validation of previously- signed messages.

Documents shared with you by the Miko Product Security team are signed with the Miko PGP key. We encourage you to check the signature to ensure
that the document was indeed written by our team and has not been changed.
When sending sensitive security information by email, please encrypt it.

Responsible Research and Disclosure Policy

By reporting the issue to security-research@miko.ai and participating in the Miko Vulnerability Reporting and Bug Bounty program, you agree not to share publicly or privately any details or descriptions of your findings with any party.
You are prohibited from -

Accessing or collecting any customer data. Exploiting security vulnerabilities for any other purposes than for testing.
Publicly disclosing any information regarding the reported issue without written consent from Miko.
In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted.
While our goal is to resolve the vulnerabilities reported to us as soon as possible, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for recognition or rewards.

Safe Harbor

As long as you comply with this policy:
1. We consider your security research to be "authorized" under the Computer Fraud and Abuse Act.
2. We will not pursue legal action against you for your submission of the security research.

Miko does not authorize any activity on third-party products, content or technology (including any third-party technology that is included in, or that interoperates with, Miko products) nor does Miko guarantee that third parties would not pursue legal action against you. We are not responsible for your liability from actions performed on third parties or on their technology.

You are responsible for complying with local laws, restrictions, regulations, etc. Therefore, you are responsible to ensure that you don’t do not engage in activities that are illegal or unethical.
To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:

Share your PII with third parties.
Share your research without your permission.

What happens after I submit a report?

Miko Security team reviews each report to determine whether the issue reported is a valid security or privacy issue, and if so, whether it qualifies for a reward. All security issues with significant impact to users will be considered for the Miko Security Bounty.
You will receive a update on your email when review of report has started, when we make a determination about its impact, and — for eligible issues — when it is being addressed in a timely manner.
You will be updated on email with significant events, including when review of report has started, when we make determination of its impact, when more
information is needed from you, or for eligible issues when its being addressed. After a valid report is addressed, it will be reviewed for an Miko Security Bounty reward payment. If your report qualifies for a reward you will receive communication on your reward, including bounty status, amount, and any next steps.
If you have questions, or want to provide more information to help us reproduce or investigate an issue, you can add comments or attachments to your email report at any time.
We make it a priority to resolve security and privacy issues as quickly as possible. Please note that for the protection of our customers, Miko does not disclose, discuss or confirm security issues until our investigation is complete and any necessary updates are generally available.
Miko uses security advisories to publish information about security fixes in our products and to publicly credit people or organisations that have reported security issues to us. Credit is added after the issue has been identified and addressed.

Miko Devices and Services Bug Bounty Program Process

MIKO Security Bounty eligibility rules are designed to make sure we can verify your research and protect customers until an update is available.
For an issue to be eligible for an MIKO Security Bounty, the issue you report must occur on Miko device the latest publicly available version with a standard configuration.
For Services vulnerabilities, the issue must relate to a web server or service owned by Miko or an Miko subsidiary, barring exclusions from the Terms and Conditions.
Many vendors offer products within the Miko platform. If the vulnerability is found to affect a third-party product, Miko will notify the owner of the affected technology. Miko will endeavour to continue to coordinate between you and the third party. Your identity will not be disclosed to the third party.
To be considered for a reward, you must comply with all parts of this policy, including the following requirements -

Adherence to our Responsible Research and Disclosure Policy and other legal obligations.
Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.
Vulnerabilities cannot be disclosed to any third party without our consent and must be submitted first to us.
Vulnerabilities found in SoC vendorʼs specific code may not qualify for rewards unless there is a demonstrated impact on Miko products.
You must be available to provide additional information if needed by us to reproduce and investigate your report.

Restrictions

To be eligible for the program, you must not:

Be a resident of, or make your submission from, a country against which the United States or India has issued export sanctions or other trade restrictions.
Have been, at any time, in the past or present, employed by Miko or any of its subsidiaries. For avoidance of any doubt, this would include all present and past employees of Miko, its affiliates and subsidiaries.
Be a direct family member of a person employed by Miko or any subsidiaries of Miko.

In addition, you must meet the following requirements:

You must be the first party to report the issue directly to Miko by email at security-research@miko.ai
Your report must be clear and detailed as specified by the reporting guideline listed above.
You must not disclose the issue publicly before Miko releases an update for the report.

Terms and Conditions

You must adhere to the following Terms and Conditions -
1. You must not disrupt, compromise, or otherwise damage data or property owned by other parties. This includes attacking any devices or accounts other
than your own (or those for which you have explicit, written permission from their owners), and using phishing or social engineering techniques.
2. You must not disrupt Miko services.
3. Immediately stop your research and notify Miko using the reporting process before any of the following occur:

You access any accounts or data other than your own (or those for which you have explicit, written permission from their owners).
You disrupt any Miko service.
You access systems related to Payment processes
You access a non-customer-facing Miko system.

4. You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you download or use Miko software or services.
5. Miko Security Bounty payments are granted solely at the exclusive discretion of Miko.
6. Miko Security Bounty payments may not be issued to you if you are (a) in any
U.S. embargoed countries or (b) on the U.S. Treasury Departmentʼs list of Specially Designated Nationals or the U.S. Department of Commerce Denied Personʼs List or Entity List or any other restricted party lists.
7. You are responsible for the payment of all applicable taxes.
8. A participant in the Miko Security Bounty program (“MSB Participantˮ) will not be deemed to be in breach of applicable Miko license provisions which provide that a user of Miko software may not copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Miko software, for in scope actions performed by that MSB Participant where all of the following are met:

The actions were performed during good-faith security research, which was or was intended to beresponsibly reported to Miko;
The actions were performed strictly during participation in the Miko Security Bounty program; and
Neither the actions nor the MSB Participants have otherwise violated these policies such as violating legal requirements 1, 2, and 3, above.

Your cart is empty

Your cart

Estimated total

You Saved