Responsible Disclosure

At ANYbotics, we consider the security of our systems, products, and services a top priority. Our software and hardware power autonomous robots in complex industrial environments, and ensuring their security is fundamental to our mission of improving safety, efficiency, and sustainability.

Despite our best efforts, vulnerabilities may still be present. If you discover a vulnerability in one of our online-offerings, or on a robot owned and operated by ANYbotics, we want to know about it so we can take steps to address it as quickly as possible. We encourage you to help us better protect our clients, our products, and our systems by reporting your findings.

This policy outlines our process for receiving, evaluating, and responding to vulnerability reports.

Please do the following:

1. E-mail your findings to security@anybotics.com.
2. Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands. You can find our key here: https://anybotics.com/gpg-key.txt
3. Provide sufficient information to reproduce the problem so we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system, a detailed description of the vulnerability, and steps for reproduction will be sufficient. For complex vulnerabilities, further explanation may be required.

• Do not conduct any testing or research on robots and other assets owned and operated by our customers.
• Do not simply throw an AI bot at our infrastructure and send us their report. We can do that ourselves, and regularly do. Of course you may use the best automation tools at your disposal, but we reserve the right to simply ignore reports that are not verified and contextualized by a human.
• Do not take advantage of the vulnerability you have discovered. For example, do not download more data than necessary to demonstrate the vulnerability, and do not delete or modify anyone else’s data.
• Do not reveal the problem to others until we have had a reasonable amount of time to resolve.
• Do not perform any actions that could disrupt our services or harm our systems. This includes attacks on physical security, social engineering, distributed denial of service (DDoS), spam, or attacks on third-party applications. All testing should be performed on non-production systems where possible.
• Under no circumstances should you perform any actions that could jeopardize the physical safety of any living being. The safety of our employees, customers, and the public is paramount. Any activity that risks physical harm is strictly prohibited and will not be protected by our safe harbor commitment.

To show our appreciation for security researchers who help us protect our systems, we promise the following:

• Response: We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date. The resolution timeline will be based on the severity of the finding, in line with our internal Vulnerability Management Standard.
• No Legal Action: If you act in good faith and follow the guidelines in this policy, we will not take any legal action against you regarding your report. We consider such activities to be authorized under applicable computer crime laws, including the Swiss Criminal Code.
• Confidentiality: We will handle your report with strict confidentiality and will not share your personal details with third parties without your permission.
• Communication: We will keep you informed of our progress as we work to resolve the problem.
• Recognition: In our public disclosures about the resolved vulnerability, we will credit you as the discoverer unless you request to remain anonymous.
• Rewards: As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount and nature of the reward will be determined based on the severity of the vulnerability, the quality of the report, and the impact on our systems. The minimum reward will be a CHF 50 gift certificate.

We strive to resolve all problems as quickly as possible and believe in a collaborative approach to vulnerability disclosure. We look forward to working with the security community to keep ANYbotics and our customers secure.