Vulnerability disclosure policy
Statement about Support Period
We are committed to providing security updates for our software and hardware firmware.
Petcube products placed on the UK and EU markets will receive security updates for a minimum period of 3 years from the date it is last placed in production. This includes updates to address critical, high, and medium severity vulnerabilities.
We encourage users to keep their software up to date to benefit from the latest security enhancements.
Please note: This statement is subject to change and may be updated without prior notice. We recommend checking this page periodically for the latest information.
For further information, please, contact support@petcube.com.
Petcube Vulnerability Disclosure Policy (VDP)
1. Introduction
Petcube, Inc. is committed to maintaining a secure environment for our users, systems, and data. We believe responsible vulnerability disclosure plays a critical role in improving security for everyone. This Vulnerability Disclosure Policy (VDP) outlines the process for researchers to safely report vulnerabilities in our products and services in alignment with the UK PSTI Act and the EU Cyber Resilience Act (CRA).
2. Scope
This VDP applies to all of Petcube's physical hardware products (firmware), mobile applications, web applications, APIs, and cloud platforms.
Please note: Vulnerabilities in third-party software or services used by Petcube are not covered under this policy. We encourage you to report such vulnerabilities directly to the respective vendor.
3. Reporting Process
We encourage users and security researchers to report discovered vulnerabilities using any of the following methods:
Email: support@petcube.com
Please include the following information in your report:
- • Detailed description of the vulnerability: Explain the nature of the vulnerability, its potential impact, and the steps to reproduce it.
- • Technical details: Provide technical details such as code snippets, proof-of-concept (PoC) code, or screenshots (if applicable) to validate the vulnerability.
- • Contact information: Include a valid email address or other contact information so we can reach you.
We appreciate your cooperation with the following guidelines:
- • Refrain from public disclosure of the vulnerability before it is coordinated with and acknowledged by Petcube.
- • Do not engage in any activities that may disrupt Petcube's systems or cause harm to users (e.g., denial-of-service attacks).
- • Maintain the confidentiality of any information not publicly disclosed by Petcube.
4. Response Timeline
- • In accordance with the Vulnerability Disclosure Policy, we commit to acknowledge your reported vulnerability within 24 hours (Monday to Friday, 9am to 5pm EST) upon receipt of the initial submission.
- • Once the reported security issue is verified based on its impact, severity, and the complexity of the potential concern, we will assign a Vulnerability Classification level and actions will be determined at that time. We may seek your ongoing assistance in addressing the vulnerability concern during the review and resolution period, up to 90 days, unless otherwise prohibited.
- • Throughout this process, we will provide updates on progress bi-weekly until a resolution is in place. We kindly request that you treat the vulnerability as confidential and refrain from engaging in activities such as unauthorized denial of service attacks, load testing, social engineering, or other undesirable actions until a solution has been implemented.
5. Resolution Process
- • Petcube will work diligently to develop a patch, workaround, or other solution to address the reported vulnerability.
- • Affected users and stakeholders will be informed about the vulnerability, mitigation steps, and potential risks.
- • After thorough testing and verification, the mitigation will be made available to users with clear instructions on implementation.
- • Public disclosure of the vulnerability details may be considered after proper remediation and user notification.
6. Guidelines for Researchers
We appreciate responsible security researchers who help us improve the security of our products and services. Please act ethically and legally throughout the reporting process.
Thank you for your cooperation!
Please note: This VDP is subject to change and may be updated without prior notice. We recommend checking this page periodically for the latest information.
7. Secure Product Decommissioning
To ensure your data remains resilient against unauthorized access under the CRA, users must securely erase personal configurations before gifting, selling, or recycling a Petcube device. Before proceeding, ensure you delete the device from your Petcube app account settings. Then, execute a full hardware factory reset based on your model:
- • Petcube Cam / Cam 360: Quickly press the start button on the back of the camera 7 times in a row until the device plays a sound.
- • Petcube Play 2 / Bites 2 Lite: Insert a reset pin into the small reset hole (located on the bottom of the Play or next to the USB port on the Bites) and hold it down for 8 seconds until the device plays a sound.
Allow the camera to reboot until the LED indicator flashes green. This action permanently deletes all local Wi-Fi credentials and linked cryptographic authentication tokens from the physical hardware.
End-of-Life (EOL):
A Petcube product reaches its End-of-Life (EOL) when it is no longer actively supported by Petcube. This means that we will discontinue providing security updates, bug fixes, and new feature development for the product.
EOL Information:
We will announce End-of-Life (EOL) dates for products at least 6 months in advance through the following channel: Vulnerability Disclosure Policy [https://petcube.com/docs/vulnerability-disclosure-policy]. This policy will be updated to reflect the EOL date.
Note:
* Security updates for Petcube Cam will be provided up to 31 December 2028 and extended support may be provided after the stated date.
* Security updates for Petcube Cam 360 will be provided up to 31 December 2028 and extended support may be provided after the stated date.
* Security updates for Petcube Play 2 will be provided up to 31 December 2028 and extended support may be provided after the stated date.
* Security updates for Petcube Bites 2 Lite will be provided up to 31 December 2028 and extended support may be provided after the stated date.