1、 General Provisions
1.1 Purpose
This policy aims to regulate the behavior of security researchers, users, and other third parties (hereinafter referred to as "whistleblowers") in discovering and reporting security vulnerabilities in our products, services, or systems, balancing the security and transparency of vulnerability disclosure, and jointly enhancing our network security protection capabilities to protect user data and system security.
1.2 Scope of Application
This policy applies to all of our products, services, websites, systems, and related infrastructure (collectively referred to as "assets"), including but not limited to web applications, mobile applications, servers, network devices, etc.
1.3 Definition
Security vulnerability: refers to design flaws, code errors, or configuration issues that may lead to unauthorized access, data leakage, service interruption, privilege escalation, and other security risks.
2、 Vulnerability Reporting Standards
2.1 Report Content
The discloser shall provide the following information for our processing:
The assets where the vulnerability is located (such as website address, application name, and version);
Types and detailed descriptions of vulnerabilities;
Reproduce steps (including necessary tools, accounts, environment, etc.);
The scope of vulnerability impact and the potential harm it may cause;
Discloser's contact information (such as name, email).
2.2 Legal testing requirements
The discloser shall comply with the following regulations during the testing process:
Unauthorized access, collection, and disclosure of user data (including personal information, account passwords, etc.) are prohibited;
Do not damage system functions, tamper with data, or cause service interruptions;
Do not exploit vulnerabilities for attacks, spread malicious software, or seek personal gain;
The testing scope is limited to our publicly available assets and must not involve third-party systems.
3、 Vulnerability Handling Process
3.1 Reception and Confirmation
After receiving the vulnerability report, we will conduct a preliminary review within 3 working days to confirm whether it is a valid vulnerability and provide feedback to the discloser.
3.2 Analysis and Repair
For effective vulnerabilities, we will assess their severity (such as low, medium, high, urgent) and develop a repair plan within the corresponding time frame (within 24 hours for urgent vulnerabilities, 7 days for high-risk vulnerabilities, and 30 days for medium low risk vulnerabilities);
After the repair is completed, we will verify the vulnerability and confirm that the issue has been resolved.
3.3 Feedback and Disclosure
After the vulnerability is fixed, we will provide feedback on the handling results to the discloser within 5 working days;
After mutual agreement, we may disclose the vulnerability information (excluding the privacy of the discloser and sensitive technical details) after the repair is completed.
4、 Discloser's Rights and Responsibilities
4.1 Equity
We would like to express our gratitude to the discoverers of compliance report vulnerabilities and may provide rewards for significant vulnerabilities (specific standards will be explained separately);
The legitimate testing behavior of the discloser is protected by this policy, and we will not take legal action for reporting vulnerabilities in good faith.
4.2 Responsibility
After reporting the vulnerability, the discloser shall comply with the principle of "responsible disclosure" and shall not disclose the details of the vulnerability to any third party until we have completed the repair;
If losses are caused by the discloser's violation of testing or leakage of vulnerabilities, we reserve the right to pursue their legal responsibility.
5、 Other instructions
Any matters not covered by this policy shall be resolved through consultation between us and the disclosing party;
We have the right to revise this policy according to the actual situation, and the revised version will be announced on the official website through official channels;
Vulnerability report receiving email: psirt@loostone.com If you have any questions, please send an email for consultation.
Shanghai Hearthstone Information Technology Co., Ltd
Release date: July 29, 2025