Skip to main content

Coordinated Vulnerability Disclosure (CVD) Policy

1. Introduction

Onalabs Innohub S.L. (“Onalabs”) is committed to the security of its products and the protection of its users. We recognise that independent security researchers play an important role in identifying vulnerabilities that help us improve the safety and security of our devices and services.

This Coordinated Vulnerability Disclosure (CVD) Policy describes how Onalabs receives, handles, and responds to reports of security vulnerabilities affecting its products, and how we work with reporters to address them responsibly before public disclosure.

2. Scope

This policy applies to security vulnerabilities in:

  • Onasport wearable device (all hardware versions and firmware versions)
  • The Onasport companion application (iOS and Android)
  • Any other Onalabs radio equipment or associated digital services placed on the EU market

This policy does not apply to:

  • Vulnerabilities in third-party services or infrastructure not under Onalabs’ direct control (e.g. cloud infrastructure providers, mobile operating systems). We encourage reporters to contact those vendors directly.
  • General product feedback, feature requests, or non-security defects — these should be submitted through our standard support channels.

3. How to Report a Vulnerability

Please submit vulnerability reports by email to:

technical.support@onalabs.com

To help us triage and reproduce the issue efficiently, please include as much of the following as possible in your report:

  • Description of the vulnerability and its potential impact
  • The affected product, hardware version, and firmware/app version
  • Step-by-step instructions to reproduce the vulnerability
  • Any proof-of-concept code, screenshots, or supporting material
  • Your preferred contact method for follow-up

Reports may be submitted in English or Spanish.

4. Our Commitments to Reporters

Once we receive your report, Onalabs commits to the following:

Milestone Commitment
Acknowledgement We will acknowledge receipt of your report within 5 business days.
Initial assessment We will provide an initial assessment of the report’s validity and severity within 10 business days.
Remediation timeline We will communicate a target remediation timeline within 30 days of receipt.
Resolution notification We will notify you when the vulnerability has been resolved or mitigated.
Coordinated disclosure We ask that you allow us a 90-day disclosure window from the date of your report before making any public disclosure, to give us adequate time to develop and release a fix. If we require more time due to exceptional complexity, we will discuss an extension with you in good faith.

We will keep you informed of our progress throughout the process. If we are unable to meet any of the above timelines, we will communicate the reason and an updated timeline promptly.

5. Safe Harbour

Onalabs will not pursue legal action against individuals who discover and report security vulnerabilities in good faith and in accordance with this policy.

We consider security research conducted under this policy to be authorised conduct. We will not initiate or recommend legal action against reporters for activities that are:

  • Conducted in compliance with this policy
  • Performed to identify and demonstrate a vulnerability without causing harm
  • Not exploiting the vulnerability beyond what is necessary to demonstrate its existence
  • Not accessing, modifying, or exfiltrating data beyond the minimum required to confirm the vulnerability
  • Not disrupting Onalabs products, services, or users

Onalabs reserves the right to pursue legal action against parties who act outside these boundaries, including those who exploit vulnerabilities for financial gain, cause harm to users or Onalabs systems, or disclose vulnerabilities publicly before the agreed disclosure window has elapsed without prior agreement.

Note to legal reviewer: Please confirm this safe harbour language is consistent with applicable Spanish and EU law, and that it provides adequate and enforceable protection for good-faith researchers. (QMS-3)

6. Disclosure Coordination

We follow a coordinated disclosure model:

  1. Reporter submits vulnerability to Onalabs via support@onalabs.com.
  2. Onalabs acknowledges and assesses the report.
  3. Onalabs develops and releases a fix within the agreed timeline.
  4. Onalabs and the reporter coordinate the timing and content of any public disclosure.
  5. Where appropriate, Onalabs will publicly acknowledge the reporter’s contribution (unless the reporter prefers to remain anonymous).

If a vulnerability is already actively exploited in the wild or poses an immediate risk to user safety, Onalabs may accelerate the timeline and coordinate emergency disclosure with the reporter and relevant authorities.

7. Out-of-Scope Activities

The following activities are not covered by this policy and may result in legal action:

  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against Onalabs products or infrastructure
  • Physical attacks against Onalabs hardware or facilities
  • Social engineering or phishing attacks targeting Onalabs employees or users
  • Accessing, exfiltrating, or modifying data belonging to other users without their explicit consent
  • Automated scanning of Onalabs infrastructure without prior written permission
  • Disclosure of vulnerabilities to third parties before the 90-day coordinated disclosure window has elapsed

8. Bug Bounty

Onalabs does not currently operate a paid bug bounty programme. We do not offer financial compensation for vulnerability reports at this time.

We do, however, value and publicly acknowledge the contributions of researchers who help us improve our product security, subject to their consent.

9. Contact

Milestone Commitment
Acknowledgement We will acknowledge receipt of your report within 5 business days.
Initial assessment We will provide an initial assessment of the report’s validity and severity within 10 business days.
Remediation timeline We will communicate a target remediation timeline within 30 days of receipt.
Resolution notification We will notify you when the vulnerability has been resolved or mitigated.
Coordinated disclosure We ask that you allow us a 90-day disclosure window from the date of your report before making any public disclosure, to give us adequate time to develop and release a fix. If we require more time due to exceptional complexity, we will discuss an extension with you in good faith.

10. Policy Review

This policy will be reviewed annually or following any significant change to Onalabs’ product portfolio or regulatory obligations. The current version is always available at the Policy URL above.