Miko Device and Services Vulnerability Reporting and Bug Bounty Program

Safeguarding our customersʼ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. This page describes our practice for addressing potential vulnerabilities in any aspect of product and services and the Miko Bug Bounty Program is designed to recognize security research on our device Miko 3, Miko Mini , Miko Chess , associated cloud services and web/mobile applications through bounty rewards.
Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Miko Devices and Services Bug Bounty Program.

Reporting of security or privacy vulnerability

If you believe that youʼve discovered a security or privacy vulnerability that affects Miko family of devices, softwares or services, please report it directly to us at product-security@miko.ai. Anyone can submit a report, including security researchers, developers, and customers. We evaluate all eligible research for Miko Security Bounty rewards.
A high-quality research report is critical to help us confirm and address an issue more quickly, and could help you receive an MIKO Security Bounty reward.

A complete report includes:

  1. Description of product and software version(s) that you believe are affected;
  2. A detailed technical description of the issue(s) and the behavior you observed, as well as the behavior that you expected
  3. A numbered list of steps required to reproduce the issue
  4. A working proof of concept (PoC) or exploit that consistently triggers the vulnerability.
  5. Details of any related issues or variants
  6. Optionally, you can also provide patch/mitigation suggestions.

    MIKO strongly recommends including a working exploit, rather than a basic proof of concept. We accept reports without this information, but reports with more details typically receive higher bounty rewards. If your report doesnʼt include the necessary information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it for a bounty.
    Use the Miko Product Security PGP key to encrypt sensitive information and encrypt any attachments and files that you share with us to product- security@miko.ai
  • You can obtain a version of GPG Suite from GPGTools. Additionally, GnuPG is available as freeware.
  • Miko Product Security key

This is our GPG key which is valid until April 29, 2025
Key ID: A26D8581
Key Type: RSA3072
RSA Expires: 2025-04-29
Key Size: 2.48KB
Fingerprint: 4980 4858 9E56 B64A 9B69 6F0D 41C2 922A A26D 8581

UserID : Miko Product Security

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGYvaSkBDAC12oOkbQLkhzu2h0p6zb0dNO71tgS5FRncZ4pFUXKVCJ+HjKRJ
+80Ychtdj9ab4ejB01z5mCYefsb9u76SbZoSM4f3YcO+V/6fJ8n+tNd543tGKEo+
tnij5RuDFFLfx6dgtR/FezUeSWNWmdT5y6MxeCXA8UKg1yHH2VmCaAr/IwxZSD9T
t4Y+nKsFqwNOVt30dmJxPvAQ9Cx5B0Cv6giBP2bTDWueM2vLYcIW/SX/auoPv4Eb
uTw5REaG80iFSS4cS3PVTaV2PJTkpDm5BCXG967XqKUc49kgOYBpW923srkr2ZkA
8vy+q9oyIp1Dscp6wJLIQb9mnWP19i14dSpKJMqergueIIb3wcgCqOQ0meueUC+d
bZgdlsUiLX8PaehhSghjtcFdG54nm848QtMA8HzB+LpznVcE2dKeFm6/2WFQdZ+z
snYkpZpOwUda3rYbgBe4h00eGGSmAqGmUdvTRqtPNVB/x4OmLMhZxmFqovbo3iVy
RWq9dc9UAjd2EWkAEQEAAbQ7U2hla2hhciBTaXZhcmFtYW4gKEdQRyBub3QgUEdQ
KSA8c2hla2hhci5zaXZhcmFtYW5AbWlrby5haT6JAdQEEwEKAD4WIQRJgEtYnla2
Sptpbw1BwpIqom2FgQUCZi9pKQIbAwUJAeEzgAULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRBBwpIqom2FgfwJDACGUnjEhpvoJVVYe/RZK2I2Tj0vox/2DEO4rz9J
1nauppMFTf3rbw9/Tt/UtO9JS+eCaxEwtUw6/0vLuzxEBxYTsX5I7Wk5IWG9yrk1
twiJgEubdZpmT4Wl/XmVfW46Ye6ctXudmAfP+vB8GIEdgMYBZwotg5/K5zscxybj
cU/1Ih+dH+rMAsHxbmwSEVf4QXZ/KJDMw8xA0CzMSn5pZrBxI/XlcKHDT0SsYcX0
U59ctQpX35S/J+wgpesnBks2X8K5fpsJGqSU+n35TOCXtF3bv+0+oKhRuWvRjo8S
QC8vboMT1LUHE/23aRy1N9vnO6AERyTg5KZ5wrj8fmmo8R7ZQYDmBAUITnkba+xd
SiKE46UpMdzjwl9TGhM7LjTe7PXeIhdZJda3hCSl7F+oII5BPfg+gCzwxb6oR6UY
4U3zBel8lr77jTBOnJWwTD0dNQXVFch4NOlxQG5DQxs/GgP7KLpVam/oAhx2Qtjs
j/l5wdv44k/xmcghz8FBDzLw1+C5AY0EZi9pKQEMAKaBm3DzcrAK5FpJ5N2UxVUF
MbueA5vD9PXQw9t9CKSO/1w4u8QM9Aw49chD6Mxn+3NVcZYYtnmXKVhS2uyPfj6W
nCACl3HEDipGFr6qW/XsF86Z88Y4Wqb1BfyS0Cuvj/S68Vqvm0nT0VwHv2qTqfHZ
oMoSPFvioCLHj4FgFgsOWu4Ah+5F299OQqYWX3yWz4YH7bYpj0yipIm+wXAZrx/q
IetmgTvqN0AytIj90fVvZ9fmgWcvQRUKzoGMd2nRE3DsOgawTRQeQYcSXU9Ms7ui
co5zNXD+zY+PYDwU7sie2I+zXaSxwNuQZ+bDvUaoaNe67Uc2aqShGdrwOvelaNP9
3+umBX0ovsJycEZv9ws3opWCmrxfNrBZRJHui10g2Kiq+3x9fRe08eVLlquJwTd5
I0LKZdMjUafrI5DvqsD4fYTVX8bSgUFf5j8WUYVJw5PzaOj++ipC8sKGVKotz9b1
LOiV2MJ8UqDphHA3MzgviOu7bVcSlOn4hN1StPW7jQARAQABiQG8BBgBCgAmFiEE
SYBLWJ5WtkqbaW8NQcKSKqJthYEFAmYvaSkCGwwFCQHhM4AACgkQQcKSKqJthYFj
EgwArB+ixaE/BO8XS3YrZtyoe3mtObBIUVtWN+2AA/NySS/disqIqtI23MczgUHO
TZmtZ1eJ1UDytaqxZAVRuEuS9uRoegNqU10LGOxRDZT1ttc6HFvis2WBcpRVlA1e
j5XhLL1yDKOCFjs8C6GeUknDJDLhf3qPFIJXkjNKES9pQ8sxN9P1vW4N/6uS0LRE
TrJF0r2GUVKx1NCJgkrJCRAea6hWPTWF/xeb8TNZSj1PtqMAfZhz1Opx6DQN5txP
T2WeFOe3+z7KOSe0B9day3j5i86zxEytRKrLEDv1LBJxJMBUPV9gNo4kG0EfeHRE
BNN/cnXAA7xqd/1Gi6GvWyI7znfZVzhhoYpQYG8GmM+Fb011Rx09r/GifOEYclW7
92v94w6IdYqawb/rKyaZRzK+brym3OeaGgSOPgRPUvCLBd/eViFxd8pMtmZkafpG
zr6e/0+QCbSKaQ+GheE2yhMQIJcalUETkAtmpi4K+mwzJgVtoVw2mhG5H8ixCXUdRfzW=u7tn
-----END PGP PUBLIC KEY BLOCK-----

When we generate a new key, it will be available from this web page. Our previous PGP keys are available upon request to facilitate the validation of previously- signed messages.

  • Documents shared with you by the Miko Product Security team are signed with the Miko PGP key. We encourage you to check the signature to ensure
    that the document was indeed written by our team and has not been changed.
  • When sending sensitive security information by email, please encrypt it.

Responsible Research and Disclosure Policy

By reporting the issue to security-research@miko.ai and participating in the Miko Vulnerability Reporting and Bug Bounty program, you agree not to share publicly or privately any details or descriptions of your findings with any party.
You are prohibited from -

  • Accessing or collecting any customer data. Exploiting security vulnerabilities for any other purposes than for testing.
  • Publicly disclosing any information regarding the reported issue without written consent from Miko.
  • In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted.
    While our goal is to resolve the vulnerabilities reported to us as soon as possible, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for recognition or rewards.

Safe Harbor

As long as you comply with this policy:
1. We consider your security research to be "authorized" under the Computer Fraud and Abuse Act.
2. We will not pursue legal action against you for your submission of the security research.

Miko does not authorize any activity on third-party products, content or technology (including any third-party technology that is included in, or that interoperates with, Miko products) nor does Miko guarantee that third parties would not pursue legal action against you. We are not responsible for your liability from actions performed on third parties or on their technology.

You are responsible for complying with local laws, restrictions, regulations, etc. Therefore, you are responsible to ensure that you don’t do not engage in activities that are illegal or unethical.
To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:

  • Share your PII with third parties.
  • Share your research without your permission.

What happens after I submit a report?

Miko Security team reviews each report to determine whether the issue reported is a valid security or privacy issue, and if so, whether it qualifies for a reward. All security issues with significant impact to users will be considered for the Miko Security Bounty.
You will receive a update on your email when review of report has started, when we make a determination about its impact, and — for eligible issues — when it is being addressed in a timely manner.
You will be updated on email with significant events, including when review of report has started, when we make determination of its impact, when more
information is needed from you, or for eligible issues when its being addressed. After a valid report is addressed, it will be reviewed for an Miko Security Bounty reward payment. If your report qualifies for a reward you will receive communication on your reward, including bounty status, amount, and any next steps.
If you have questions, or want to provide more information to help us reproduce or investigate an issue, you can add comments or attachments to your email report at any time.
We make it a priority to resolve security and privacy issues as quickly as possible. Please note that for the protection of our customers, Miko does not disclose, discuss or confirm security issues until our investigation is complete and any necessary updates are generally available.
Miko uses security advisories to publish information about security fixes in our products and to publicly credit people or organisations that have reported security issues to us. Credit is added after the issue has been identified and addressed.

Miko Devices and Services Bug Bounty Program Process

MIKO Security Bounty eligibility rules are designed to make sure we can verify your research and protect customers until an update is available.
For an issue to be eligible for an MIKO Security Bounty, the issue you report must occur on Miko device the latest publicly available version with a standard configuration.
For Services vulnerabilities, the issue must relate to a web server or service owned by Miko or an Miko subsidiary, barring exclusions from the Terms and Conditions.
Many vendors offer products within the Miko platform. If the vulnerability is found to affect a third-party product, Miko will notify the owner of the affected technology. Miko will endeavour to continue to coordinate between you and the third party. Your identity will not be disclosed to the third party.
To be considered for a reward, you must comply with all parts of this policy, including the following requirements -

  • Adherence to our Responsible Research and Disclosure Policy and other legal obligations.
  • Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.
  • Vulnerabilities cannot be disclosed to any third party without our consent and must be submitted first to us.
  • Vulnerabilities found in SoC vendorʼs specific code may not qualify for rewards unless there is a demonstrated impact on Miko products.
  • You must be available to provide additional information if needed by us to reproduce and investigate your report.

Restrictions

To be eligible for the program, you must not:

  • Be a resident of, or make your submission from, a country against which the United States or India has issued export sanctions or other trade restrictions.
  • Have been, at any time, in the past or present, employed by Miko or any of its subsidiaries. For avoidance of any doubt, this would include all present and past employees of Miko, its affiliates and subsidiaries.
  • Be a direct family member of a person employed by Miko or any subsidiaries of Miko.

In addition, you must meet the following requirements:

  • You must be the first party to report the issue directly to Miko by email at security-research@miko.ai
  • Your report must be clear and detailed as specified by the reporting guideline listed above.
  • You must not disclose the issue publicly before Miko releases an update for the report.

Terms and Conditions

You must adhere to the following Terms and Conditions -
1. You must not disrupt, compromise, or otherwise damage data or property owned by other parties. This includes attacking any devices or accounts other
than your own (or those for which you have explicit, written permission from their owners), and using phishing or social engineering techniques.
2. You must not disrupt Miko services.
3. Immediately stop your research and notify Miko using the reporting process before any of the following occur:

  • You access any accounts or data other than your own (or those for which you have explicit, written permission from their owners).
  • You disrupt any Miko service.
  • You access systems related to Payment processes
  • You access a non-customer-facing Miko system.

4. You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you download or use Miko software or services.
5. Miko Security Bounty payments are granted solely at the exclusive discretion of Miko.
6. Miko Security Bounty payments may not be issued to you if you are (a) in any
U.S. embargoed countries or (b) on the U.S. Treasury Departmentʼs list of Specially Designated Nationals or the U.S. Department of Commerce Denied Personʼs List or Entity List or any other restricted party lists.
7. You are responsible for the payment of all applicable taxes.
8. A participant in the Miko Security Bounty program (“MSB Participantˮ) will not be deemed to be in breach of applicable Miko license provisions which provide that a user of Miko software may not copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Miko software, for in scope actions performed by that MSB Participant where all of the following are met:

  • The actions were performed during good-faith security research, which was or was intended to beresponsibly reported to Miko;
  • The actions were performed strictly during participation in the Miko Security Bounty program; and
  • Neither the actions nor the MSB Participants have otherwise violated these policies such as violating legal requirements 1, 2, and 3, above.