Vulnerability Disclosure Policy
Commitment
At VicOne LAB R7, we recognize the critical intersection of Cybersecurity and Physical Safety in the era of Physical AI. This policy outlines our commitment to working with the global research community to identify, verify, and resolve vulnerabilities within our specific CNA scope.
To report a vulnerability, please contact our security team at:
vulnerability-report@vicone.comPlease provide a detailed technical description and Proof of Concept (PoC).
Included Domains
Physical AI Systems
- AI systems that directly influence or control physical behavior.
- Perception, decision-making, and actuation logic.
- Safety-critical and cyber-physical environments.
Robotics Platforms
- Robotics software, firmware, and hardware components.
- Control stacks, middleware, and AI-enabled control logic.
- Robot operating environments where cyber compromise may cause physical impact.
Simulation & Digital Twin
- Simulation platforms used for robotics/AI development and validation.
- Digital twin environments representing real-world robotic systems.
- Simulation pipelines whose integrity affects real-world safety decisions.
Excluded Domains
- General Purpose IT: Standard office software, corporate websites, and non-robotics cloud services.
- Third-party Hardware: Vulnerabilities in generic chips or components not related to robotics control.
- Legacy Systems: Products clearly marked as End-of-Life (EOL).
Vulnerability Handling Flow
Our process follows the ISO/IEC 29147:2018 standard to ensure coordinated disclosure.
| Step | Phase | Description |
|---|---|---|
| 01 | Submission (PGP Encrypted) | Report received via PGP-encrypted email |
| 02 | Triage & Verification | Validate the report and reproduce the issue |
| 03 | CVE ID Assignment | Reserve a CVE identifier for the vulnerability |
| 04 | Remediation & Patching | Coordinate fix development with the vendor |
| 05 | Public Disclosure | Publish advisory after coordinated timeline |