Welcome to the Vulnerability Disclosure and Response Program (“Program”) initiated and maintained by Autel Robotics Co., Ltd. (“Autel Robotics”). Autel Robotics places the highest priority on the cybersecurity of its products and business systems and fully acknowledges the critical contributions of researchers to maintaining a secure ecosystem. We encourage researchers to responsibly report any security vulnerabilities related to Autel Robotics' products and services. Before participating in the Program and submitting a vulnerability report, please carefully read and fully understand this Autel Robotics Vulnerability Disclosure and Response Agreement (“Agreement”). By submitting a vulnerability report, you are deemed to have read, understood, and agreed to be bound by this Agreement and the Autel Robotics Privacy Policy (https://www.autelrobotics.com/privacy/). We look forward to working together with the global security community to continuously improve the security of our products and services.
1.1 This Agreement is entered into between you (“Reporter”) and Autel Robotics concerning your participation in the Program, and is legally binding on both parties.
1.2 The term "Reporter" refers to any natural person, legal entity, or other organization that submits security vulnerability reports through the designated platform provided by Autel Robotics.
1.3 This Agreement also includes Program rules, supplementary agreements, and other explanatory documents published by Autel Robotics from time to time. Upon publication, these documents form an integral part of this Agreement, have the same legal force and effect as this Agreement, and shall be complied with by the Reporter.
2.1 The Reporter shall submit security vulnerability reports related to Autel Robotics’ products or services through the designated platform [https://www.autelrobotics.com/protocol/] and follow the instructions specified on that page.
2.2 Reports submitted by the Reporter shall include the following information:
2.2.1 A detailed description of the vulnerability and the potential risks associated with it;
2.2.2 Steps required to reproduce the vulnerability, detailed operational procedures, or a proof of concept (PoC);
2.2.3 Information regarding the testing environment, including but not limited to URLs or applications related to the vulnerability, relevant code snippets, device models, operating system versions, testing IP addresses, and account credentials used during testing;
2.2.4 Relevant supporting materials generated during the testing process, including but not limited to data, screenshots, and log files.
2.3 Scope of Acceptable Vulnerabilities:
2.3.1 Official websites of Autel Robotics:https://www.autelrobotics.com/,https://www.autelrobotics.cn/;
2.3.2 Official applications of Autel Robotics, including but not limited to Autel Mapper, Autel Integrated Command System (AICS), etc.;
2.3.3 Hardware products and their corresponding management systems of Autel Robotics that are within the official warranty and support period.
2.4 Exclusions from Vulnerability Reports:
2.4.1 Products that have been discontinued from sale and are no longer supported or maintained;
2.4.2 Issues present on third-party websites, platforms, or services;
2.4.3 Vulnerabilities that have been publicly disclosed or are already known, including those widely reported or previously submitted by other Reporters.
2.5 Criteria for Vulnerability Severity Rating:
2.5.1 The sensitivity of the information exposed and its potential impact;
2.5.2 The difficulty level of exploiting the vulnerability;
2.5.3 The potential scope and severity of impact on users, systems, or the reputation of Autel Robotics;
2.5.4 The ease of propagation and the potential for widespread exploitation of the vulnerability.
2.6 Vulnerability Disclosure Policy:
2.6.1 The Reporter shall not publicly disclose or disseminate any vulnerability details without prior written authorization from Autel Robotics.
2.6.2 If disclosure is explicitly permitted, the Reporter must ensure that sensitive information such as user data, privacy information, or Autel Robotics' server details is excluded from the disclosed content.
2.6.3 Reports must objectively and accurately describe the impact of vulnerabilities and must not exaggerate, mislead, or cause unnecessary alarm.
2.7 The Reporter must guarantee that all information submitted is truthful, complete, and legally compliant. The Reporter shall bear full responsibility for any platform suspension or legal risks arising from false, inaccurate, or incomplete information.
2.8 Vulnerability Remediation Timelines of Autel Robotics:
2.8.1 Critical-level vulnerabilities and above: Remediation shall generally be completed within 90 business days.
2.8.2 Medium- and low-level vulnerabilities: Remediation shall generally be completed within 180 business days.
2.8.3 In cases involving special circumstances, such as hardware compatibility constraints, the actual remediation timeline will be determined based on official announcements or specific communications from Autel Robotics.
3.1 The Reporter shall comply with all applicable laws and regulations as well as the terms and conditions of this Agreement during the collection, verification, and submission of vulnerability reports. The Reporter shall not, under any circumstances, disrupt the operation of Autel Robotics’ systems or infringe upon the legitimate rights and interests of Autel Robotics or its users.
3.2 The Reporter must ensure that the vulnerability information submitted is obtained legally and ethically. The Reporter is strictly prohibited from obtaining vulnerabilities through unauthorized or illegal methods, including but not limited to scanning, network sniffing, brute-force attacks, deception, phishing, or any similar unauthorized means.
3.3 The Reporter is strictly prohibited from engaging in any of the following activities:
3.3.1 Illegally accessing or intruding into Autel Robotics’ networks, or interfering with the normal operation of its products or systems;
3.3.2 Disclosing, selling, or otherwise transferring any data or information belonging to Autel Robotics or its users;
3.3.3 Causing interruptions of user services or negatively impacting user experience in any way during vulnerability testing activities;
3.3.4 Engaging in improper activities such as extortion, intimidation, publicity stunts, or any other unethical or inappropriate conduct through the exploitation of vulnerabilities.
3.4 The Reporter undertakes and warrants that they shall bear full legal responsibility for ensuring the authenticity, accuracy, and completeness of all submitted vulnerability reports and any related materials.
3.5 After submitting a vulnerability, the Reporter shall not leverage the threat of public disclosure to impose any conditions or demands. Furthermore, the Reporter shall not transfer, assign, or authorize any third party to disclose or use the submitted vulnerability information without prior written consent from Autel Robotics.
3.6 The ownership and all related intellectual property rights of the submitted vulnerability reports shall vest in Autel Robotics. Without the prior written consent of Autel Robotics, the Reporter shall not use the content of the reports for any commercial or non-commercial purposes.
3.7 The Reporter understands and agrees that they have a strict duty of confidentiality with respect to any information related to Autel Robotics — including but not limited to technologies, products, source code, and operational data — acquired during testing, submission, or communication. Any unauthorized disclosure, dissemination, or use of such information without prior written consent is strictly prohibited.
3.8 If the Reporter is under the age of 18 (a minor), they must read this Agreement and participate in the Program under the supervision and guidance of a legal guardian.
4.1 Autel Robotics is responsible for operating and maintaining the vulnerability submission platform to ensure that researchers can smoothly complete registration, submission, queries, and other related operations.
4.2 Autel Robotics reserves the right to verify, remediate, and implement security enhancements based on the content of the reports, and to independently assess the validity and severity of any reported vulnerabilities.
4.3 Autel Robotics commits to assigning dedicated personnel to follow up on and respond to each valid and compliant vulnerability report and to provide a resolution or feedback within a reasonable timeframe.
4.4 Autel Robotics is obligated to protect the personal identification information submitted by the Reporter in accordance with applicable laws and regulations, and shall not disclose such information to any third party without the Reporter’s prior authorization or unless disclosure is legally required.
4.5 If any report contains illegal content, false information, or involves intentional deception or extortion, Autel Robotics reserves the right to immediately terminate the Reporter’s participation in the Program and to pursue legal remedies as necessary.
4.6 Autel Robotics reserves the right to adjust, interpret, suspend, or terminate the Program’s content, service terms, or related provisions, but will provide prior notice to the Reporter through announcements on the official website or by email.
4.7 Any preliminary review conducted by Autel Robotics on submitted reports shall not relieve the Reporter of their responsibility for ensuring the authenticity and legality of the submitted content.
4.8 If the Reporter becomes involved in any dispute with a third party arising from their participation in the Program, the Reporter shall be solely responsible for resolving the dispute and bearing all associated liabilities. If such a dispute results in any loss or damage to Autel Robotics, the Reporter shall be liable to fully compensate Autel Robotics for such loss or damage.
5.1 When submitting a vulnerability report, the Reporter should endeavor to provide complete, accurate, and reproducible information, including but not limited to:
5.1.1 The background of the vulnerability discovery and the steps involved in the exploitation process;
5.1.2 Relevant URLs, applications, APIs, or system modules involved;
5.1.3 The model of the test device, operating system version, application version, and serial number (if applicable);
5.1.4 The credentials of the testing account(s) and the corresponding IP address(es);
5.1.5 Non-destructive verification examples (e.g., remote command execution);
5.1.6 Supporting materials such as packet capture files, log files, screenshots, or videos, where necessary.
5.2 Autel Robotics will perform preliminary validation, severity assessment, and reproducibility testing of submitted vulnerabilities. The criteria for severity rating include, but are not limited to:
5.2.1 The extent and sensitivity of any data exposure;
5.2.2 The level of difficulty and potential for automation in exploiting the vulnerability;
5.2.3 The potential scope and impact on Autel Robotics’ users, platforms, or products;
5.2.4 Whether the vulnerability exists within systems that are still under maintenance.
5.3 The Reporter shall adhere to the principles of responsible vulnerability disclosure and shall not disclose, publish, or otherwise disseminate any relevant vulnerability information to any third party without the prior explicit written consent of Autel Robotics.
5.4 If Autel Robotics approves the public disclosure of a vulnerability, the Reporter shall ensure that the disclosure meets the following conditions:
5.4.1 No user privacy information, sensitive data, or detailed information about Autel Robotics’ business systems is disclosed;
5.4.2 The disclosed content must be objective and accurate, without exaggerating the impact or misleading the public;
5.4.3 The disclosure must not cause unnecessary security panic or market disruption.
5.5 The ownership and all associated intellectual property rights of the submitted vulnerability reports and related deliverables shall vest exclusively in Autel Robotics. The Reporter shall not use, publish, or transfer such materials without obtaining prior written authorization from Autel Robotics.
6.1 Upon submission, the vulnerability reports, verification steps, test data, analysis documents, and any other related materials provided by the Reporter shall be deemed the sole property of Autel Robotics Co., Ltd. Autel Robotics shall exclusively own all corresponding ownership rights, copyrights, and related intellectual property rights therein.
6.2 Without the prior written consent of Autel Robotics, the Reporter shall not use, reproduce, disclose, distribute, license, authorize, or otherwise make available to any third party the submitted vulnerability reports or any related testing materials in any form.
6.3 If the Reporter violates any provision of this section, Autel Robotics reserves the right to immediately disqualify the Reporter from participating in the Program and to pursue legal remedies, including but not limited to:
6.3.1 Reporting the violation to relevant regulatory bodies or judicial authorities;
6.3.2 Seeking compensation for any direct or indirect economic losses and any reputational damage suffered by Autel Robotics.
6.4 Personal information submitted by the Reporter during participation in the Program (including but not limited to name, contact information, identification documents, etc.) shall be used solely for purposes related to identity verification, vulnerability verification, statistical analysis, and other activities directly associated with the Program.
6.5 Autel Robotics will implement reasonable technical and organizational measures to safeguard the confidentiality and security of the Reporter’s personal information. Unless otherwise required by applicable laws, regulations, regulatory authorities, or expressly authorized by the Reporter, Autel Robotics shall not disclose the Reporter’s personal information to any non-affiliated third party.
6.6 The Reporter shall ensure that all submitted information is truthful, complete, lawful, and valid. If any inaccuracies, falsehoods, or failures to update the information result in the inability to establish necessary communication, the Reporter shall bear full responsibility for any consequences arising therefrom.
7.1 The Reporter understands and agrees that Autel Robotics reserves the right to suspend, modify, interrupt, or terminate the Program at any time, without prior notice, due to business development needs, strategic adjustments, technological upgrades, security operations, or other reasonable causes. The Reporter voluntarily waives any right to claim compensation from or assert any rights against Autel Robotics for any losses or inconveniences arising therefrom.
7.2 If the Reporter engages in any of the following activities, Autel Robotics reserves the right to immediately disqualify the Reporter from participating in the Program without prior notice and, if necessary, pursue legal action. Such activities include, but are not limited to:
7.2.1 Submitting false, malicious, or duplicate vulnerability reports;
7.2.2 Exploiting vulnerabilities to attack, manipulate, interfere with, or cause actual harm to Autel Robotics’ products, systems, users, or third parties;
7.2.3 Disclosing, disseminating, or using vulnerability information for non-testing purposes without prior authorization;
7.2.4 Violating applicable national laws, regulations, public order, good customs, or any provision of this Agreement.
7.2.5 Refusing to cooperate in the vulnerability verification process or submitting false or misleading identity information.
7.3 Autel Robotics shall not be held liable for service interruptions, platform access failures, or any other issues arising from:
7.3.1 Force majeure events, including but not limited to natural disasters, pandemics, wars, or governmental actions;
7.3.2 Communication network failures, virus infections, or hacker attacks;
7.3.3 Abnormalities or disruptions in third-party platforms, channels, or services;
7.3.4 Equipment malfunctions or network issues originating from the Reporter’s side.
7.4 Autel Robotics will endeavor to maintain the stability of the Program platform and associated systems in accordance with prevailing industry security standards; however, it does not guarantee uninterrupted operation or a vulnerability-free environment. The Reporter is expected to acknowledge and accept that vulnerability submissions may be interrupted due to system maintenance, upgrades, or unforeseen anomalies.
7.5 If the Reporter chooses to withdraw from the Program, Autel Robotics reserves the right to permanently delete all historical data, incomplete reports, and any related content associated with the Reporter’s account, without any obligation to return such information or provide data export services.
8.1 The formation, effectiveness, performance, interpretation, and dispute resolution of this Agreement shall be governed by the currently effective laws and regulations of the People’s Republic of China (excluding its conflict of laws principles).
8.2 Any dispute arising from participation in the Program or the performance of this Agreement shall first be resolved through amicable consultation between the parties. If the consultation fails, either party may submit the dispute to the competent People’s Court in the jurisdiction where this Agreement is executed, namely, the People’s Court of Nanshan District, Shenzhen, Guangdong Province, China.
8.3 If any provision of this Agreement is held to be invalid or unenforceable for any reason, the remaining provisions shall remain in full force and effect and shall continue to be binding on both parties.
8.4 The headings in this Agreement are for convenience only and shall not affect the meaning or interpretation of any provisions herein.
8.5 Autel Robotics reserves the right to update or amend the terms of the Program based on actual operational needs. Continued participation by the Reporter shall be deemed as acceptance of the updated terms.
If you have any questions, complaints, or suggestions regarding the Program or this Agreement, you may contact us using any of the following methods:
9.1 Contact us by phone at 400-800-1866;
9.2 Send an email to after-sale@autelrobotics.com;
9.3 Send correspondence to the following address:Room 801, Building B1, Nanshan Intelligence Park, No. 1001 Xueyuan Avenue, Taoyuan Subdistrict, Nanshan District, Shenzhen, Guangdong Province, China.
