Kobo’s Policy relative to the Security of our Connected Products
This policy sets out some of the requirements maintained by Rakuten Kobo Inc. (“Kobo”) to protect the security of its connected products and their users relative to cyber security risks.
A. Default Passwords
Kobo does not use universal default or easily guessable default passwords on its connected products.
B. Reporting of Security Vulnerabilities – The Vulnerability Disclosure Protocol
1. Introduction
The means to report and disclose aims to ensure a consistent method for individuals (e.g., security researchers) to communicate suspected Kobo security vulnerabilities. Kobo is committed to continually making commercially reasonable efforts to manage and minimize cyber security and associated material risks.
| 1.1 |
Scope: This vulnerability disclosure policy applies to any vulnerabilities security researchers consider reporting to Kobo. |
| 2.1 |
Compliance: As consideration for Kobo not characterizing the actions of the security researcher as inappropriate and warranting responsive action for damages, Kobo requires compliance with this policy. |
| 3.1 |
Kobo’s position: Kobo values and thanks those who take the time and effort to report security vulnerabilities according to this policy. However, Kobo does not offer monetary rewards for vulnerability disclosures. |
2. Reporting
If you suspect that you have found a security vulnerability, please submit your report to Kobo at the following email: privacy@kobo.com, and include the following information in your provided report:
| 2.1 |
The model specifications of the connected product where the vulnerability can be observed. |
| 3.1 |
A brief description of the type of vulnerability, for example, “XSS vulnerability”. |
| 4.1 |
Steps to reproduce the vulnerability, being a benign and non-destructive means to demonstrate the vulnerability. The intent is to provide Kobo with means to assess and triage the matter quickly and accurately. |
| 5.1 |
Provide your report in English, if possible. |
3. Kobo’s responsiveness.
Kobo shall respond to vulnerability reporting as follows:
| 3.1 |
After the security researcher has submitted a report, Kobo will respond, acknowledging receipt. |
|
4.1 |
Priority for remediation is assessed by looking at, amongst other things, the impact, severity, and exploit complexity. Vulnerability reports might take some time to triage or address. |
| 5.1 |
Kobo will notify you when the reported vulnerability is remediated. |
| 6.1 |
Once your reported vulnerability has been resolved, although we welcome requests to disclose your report, solely Kobo, at its discretion, is responsible for provision of guidance to affected users by way of public release or otherwise. |
4. Kobo’s statement of Expectations relative to Vulnerability Reporters
Our expectations for security researchers are as follows:
4.1 The Security Researcher must NOT:
| 4.1.1 |
Break any applicable law or regulations. |
|
| 5.1.1 |
Access unnecessary, excessive, or significant amounts of data. |
|
| 6.1.1 |
Modify data in the Kobo's systems or services or disrupt, damage, or impair access to data, those same services, or systems in any way. |
|
| 7.1.1 |
Use high-intensity invasive or destructive scanning tools to find vulnerabilities. |
|
|
|
8.1.1 |
Submit “nuisance” reports detailing non-exploitable vulnerabilities, reports indicating that the services do not fully align with “best practices”, or a high volume of low-quality reports. |
| 9.1.1 |
Communicate any vulnerabilities or associated details other than by means described herein. |
|
| 10.1.1 |
Demand financial compensation to disclose any vulnerabilities. |
|
| 11.1.1 |
Commit physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing. |
5.1 You must:
|
4.2.1 |
Always comply with governing data protection and privacy legislation and must not violate the privacy of the Kobo’s users, staff, contractors, services or systems. |
|
|
5.2.1 |
Securely delete all data retrieved during your research as soon as it is no longer required or within one month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law). |
|
|
6.2.1 |
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems. |
|
|
7.2.1 |
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else. |
5. Legal standing of Disclosure Protocol and Reporters
| 5.1 |
This Vulnerability Disclosure Protocol is designed to be compatible with common vulnerability disclosure good practice and various jurisdictions’ governing legislation and regulations. |
|
| 6.1 |
If you make a good faith effort to comply with this protocol during your security research, Kobo will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Kobo will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this protocol, Kobo will make this authorization known. |
C. Security Updates and Smart Products.
The imbedded software in Kobo eReaders receive security updates to protect the data and privacy of our users.
1. Security Updates – Timeliness
| 1.1 |
Based on Kobo’s assessment of severity and risk and the associated prioritization, security updates are issued in a timely manner to address and manage not only the vulnerabilities disclosed to Kobo pursuant to third-party reporting, but also any vulnerabilities that may arise pursuant to internal security assessments of Kobo smart products. |
|
| 2.1 |
Recognizing Kobo’s obligation to meet industry standards and achieve statutory compliance relative to the issue of security updates that are remedial and responsive to any vulnerabilities associated with our smart products, the timeliness of the release of security updates is as determined by Kobo, which will always be at least at a standard of commercial reasonableness. |
2. Security Support Periods
|
2.1 |
Security Support updates are provided for Kobo eReaders, from time to time, to address any known and material vulnerabilities. These security updates are provided for the period that the various eReader models are available for sale, directly from Kobo, as brand new (non-refurbished) units. | |
|
3.1 |
Beyond a model’s initial sales period, and as a general practice, Kobo hereby commits to provide eReaders with software security updates for at least a period of four years from the date that the device was last available for purchase directly from Kobo (at its website) as a new (or non-refurbished) product. The date of either the sale of refurbished units or 3rd party sales by other retailers are not relevant reference points for Kobo’s commitment to provide security updates. |
|
| 4.1 |
The table of the timelines shows software security update periods for Kobo eReaders currently available for purchase on our websites. This table, from time to time, shall be updated by Kobo. |
|
| 5.1 |
The table of updates is not a statement of the expected lifespan of the noted products, and the applicable warranties continue to govern. The table is a statement of best practices relative to the support period for the provision of security updates for Kobo’s connected products sold globally. For only those Kobo’s connected products sold in the United Kingdom after April 15, 2024, in compliance with the Product Security and Telecommunications Infrastructure Act 2022, Kobo hereby commits to the referenced support period, noted as follows: |
| Kobo eReader | Security Updates are to be provided until December 31st of the noted year: |
| Kobo Clara BW – Released April 2024 |
2028 |
| Kobo Clara Colour – Released April 2024 |
2028 |
| Kobo Libra Colour – Released April 2024 |
2028 |
| Kobo Elipsa 2E – Released October 2023 |
2028 |
| Kobo Elipsa – Released June 2021 |
2028 |
| Kobo Clara 2E – Released September 2022 |
2028 |
| Kobo Sage – Released October 2021 |
2028 |
| Kobo Libra 2 – Released October 2021 |
2028 |
| Kobo Nia – Released July 2020 |
2028 |
D. Compliance
Statement of Compliance certificates are issued relative to each product and model offering, noting the defined support period. The various Statements of Compliance, updated from time to time, are found at the Kobo website, under www.kobo.com/userguides.