security vulnerability disclosure policy

At MicroVision, the security of our systems, products, and data is paramount. As part of our commitment to maintaining the highest security standards, we comply with TISAX and ISO 27001 frameworks. We recognize the invaluable role that the security community plays in identifying potential vulnerabilities, and we encourage responsible vulnerability disclosure to ensure the integrity of our systems and data. This policy outlines the process for reporting vulnerabilities in a responsible manner to reduce risks for all parties.

All MicroVision products, systems and our website.

Out-of-scope vulnerabilities include:

• Results that mainly come from social engineering (e.g. phishing, vishing).
• User interface and user experience errors, spelling and grammar errors.
• Physical attacks against MicroVision facilities, products, or data centers.
• Vulnerabilities in any MicroVision partner or third party provider sites.
• Denial-of-Service (DoS) attack related vulnerabilities.

If you discover a potential security vulnerability in any of our products, systems, or websites, please contact us at vulnerability (at) microvision.com. Please include the following information in your vulnerability report:

• Detailed Description: Provide a thorough description of the vulnerability, including which system or product is affected.
• Steps to Reproduce: Include a clear explanation of the steps necessary to replicate the issue.
• Potential Impact: Describe the potential risks or consequences of the vulnerability for our systems or users.
• Evidence: Attach relevant materials, such as logs, screenshots, or videos, to help us better understand the issue.
• Contact Details: Provide your contact information so we can follow up for clarification if needed.
• Language: if possible, please reach out to us in English as reports in other languages might take significant more time for us to investigate.

We strive to identify relevant security vulnerabilities and process them accordingly. We are happy to receive information in this context. Upon receiving your report, our security team will carefully review, investigate, and correct any vulnerability in accordance with our procedures and applicable law. To encourage responsible reporting, we will not take legal action against those who comply with our Responsible Disclosure Guidelines set forth below.

To ensure a secure and ethical reporting process, we request that you adhere to the following guidelines:

• Non-exploitation: Do not exploit the vulnerability in any way, including accessing sensitive data, making changes, or causing damage.
• No Unauthorized Access: Do not attempt to access, modify, or delete data belonging to others, including personal or proprietary information.
• Non-disruption: Avoid actions that could degrade the performance or availability of our systems.
• Legal and Ethical Compliance: Ensure that your actions are compliant with applicable laws and ethical standards.
• Testing Limitations: Limit vulnerability testing to your own accounts and data. Refrain from using automated testing tools that could harm system performance.
• Please do not disclose an issue to the public or a third party until MicroVision has resolved it.

Failure to comply with these guidelines may result in legal action or other consequences. MicroVision reserves the right to involve authorities to protect the integrity and security of our systems if necessary.

We greatly value and appreciate your efforts to help improve the security of our products and systems. Questions regarding this policy may be sent to vulnerability (at) microvision.com. We also invite you to contact us with suggestions for improving this policy.