Vulnerability Disclosure Policy

Effective Date: May 9, 2026
Yarbo (“we”, “us”, or “our”) welcomes responsible security research from the global security community. We encourage security researchers to identify and responsibly disclose security vulnerabilities affecting our official products, applications, and cloud infrastructure. This Vulnerability Disclosure Policy (“Policy”) defines valid research scope, safe harbor protections, reporting requirements, response procedures, and public disclosure rules for all researchers who submit security issues to Yarbo.

1. Our Commitment

We are committed to maintaining the security, stability, and privacy protection of all Yarbo products and services. We sincerely appreciate the efforts of independent security researchers and the security community to help us continuously improve our security posture.
We commit to the following practices for all valid vulnerability reports:
  • Acknowledging your report in a timely manner
  • Conducting complete and thorough technical investigation
  • Developing, testing, and releasing security fixes
  • Maintaining transparent communication throughout the remediation process
  • Respecting coordinated disclosure rules and researcher contributions

2. Authorized Research Scope (In Scope)

You may perform limited, non-destructive, good-faith security research on the following Yarbo-owned assets:
  • Domains and Cloud Services:All official global and regional websites, cloud platforms, service interfaces and other business endpoints officially operated under the Yarbo domain ecosystem, including all subdomains and service endpoints under *.yarbo.com.
  • Official Applications: Yarbo mobile applications for iOS and Android, official web portals, and self-developed backend management systems within active maintenance.
  • Hardware Products: All officially released Yarbo smart hardware devices within the security maintenance lifecycle, including smart mowing robots, snow blowing robots, leaf blowers, and related outdoor intelligent devices, covering device firmware, embedded systems, and device-to-cloud communication protocols.
  • Public APIs: Publicly accessible application programming interfaces serving Yarbo official products and platforms.

3. Prohibited Scope (Out of Scope)

The following assets and activities are not authorized under this Policy. Reports originating from the following scenarios will not be accepted and are not eligible for safe harbor protection:
  • Third-party platforms, third-party SDKs, open-source components, and non-Yarbo systems
  • Products and services that have been discontinued, end-of-sale, or end-of-life with no official maintenance
  • Social engineering, phishing, pretexting, or physical intrusion tests
  • Physical disassembly, hardware tampering, chip probing, or destructive physical testing
  • Distributed denial-of-service, traffic flooding, brute-force attacks, or any testing that causes service instability, performance degradation, or service interruption
  • Duplicate reports, publicly known vulnerabilities, and issues caused by improper user operation
  • Vulnerabilities with no reproducible steps, no valid impact, or no security risk

4. Safe Harbor

Yarbo will not initiate legal action against security researchers who conduct security research in strict compliance with this Policy. You are protected under safe harbor if you:
  • Act in good faith and only for the purpose of reporting security risks to Yarbo
  • Do not access, modify, store, or exfiltrate personal user data, sensitive information, or Yarbo confidential data beyond what is minimally necessary for vulnerability verification
  • Do not disrupt system availability, damage devices, impair public safety, or harm user interests
  • Do not disclose any unpatched vulnerability details without official written approval
  • Cooperate with Yarbo’s security team during investigation and remediation
Any conduct exceeding the scope of good-faith security research will void safe harbor protection.

5. How to Submit a Vulnerability

Please submit all security vulnerability reports to our official security email address: security@yarbo.com
To help our team validate and resolve your report efficiently, your submission should include:
  • A clear and detailed description of the vulnerability and potential security impact
  • Complete step-by-step reproduction instructions
  • Non-destructive proof-of-concept (PoC) that does not cause data loss, service failure, or device damage
  • Detailed affected asset information, including URL, API endpoint, app version, device model, and firmware version
  • Supporting evidence such as screenshots, logs, or screen recordings
  • Your preferred name for public acknowledgment (optional)

6. Third-Party Safe Harbor

  • If you submit a valid vulnerability report affecting any third-party service integrated with Yarbo’s products and infrastructure, we will strictly control the disclosure and sharing of your report content with the affected third party. We may share non-identifying information extracted from your vulnerability report with the relevant third party to facilitate vulnerability remediation, but only after formally notifying you of our intended action and obtaining a written commitment from the third party that it will not initiate legal proceedings or law enforcement contact against you based on your submitted report. We will never share your personal identifying information with any affected third party without your explicit written approval.
  • Please note that this Policy does not authorize any security testing on out-of-scope third-party systems and services. Any testing targeting independent third-party platforms is not covered by this Policy’s protections. Before conducting any security research on third-party services, you must refer to the third party’s official vulnerability disclosure policy (if available) or contact the third party directly or via legal representation to obtain legitimate authorization. Nothing in this Policy shall be construed as an agreement by Yarbo to defend, indemnify, or protect you from any claims, disputes, or legal actions raised by third parties resulting from your security research behaviors.
  • If a third party or law enforcement initiates legal action against you solely due to your compliant security research and vulnerability disclosure under this Policy, and you have fully acted in good faith and complied with all terms herein (without intentional or malicious violations), we will take reasonable steps to verify and confirm that your actions were conducted in accordance with our official vulnerability disclosure rules. All valid vulnerability reports you submit are treated as confidential and potentially privileged documents by Yarbo, and we will resist compelled disclosure of such information to the fullest extent permitted by applicable law. Nevertheless, you acknowledge that a competent court may issue a mandatory disclosure order notwithstanding our objections.

7. Policy Updates

Yarbo reserves the right to update this Vulnerability Disclosure Policy at any time. All updates will be posted on our official website security page. Continued security research and vulnerability submission after policy updates constitutes acceptance of the latest terms.

8. Contact

For vulnerability reports, security inquiries, and policy appeals, please contact us at: 
security@yarbo.com