Vulnerability Disclosure Policy

We place the highest importance on security matters and greatly appreciate input from security professionals to strengthen the security of our products. Our strategy for addressing security vulnerabilities is based on an organized process. We are thankful for any identified vulnerabilities, regardless of service agreements or the development stage of our products and applications.

Vulnerability Response and Disclosure Process

  1. Recipient Action: Promptly monitor and allocate received vulnerabilities.

  2. Verification Process: Validate the vulnerability, confirming its potential for exploitation and impact.

  3. Solution Development: Offer effective solutions for fixes or measures to mitigate risks.

  4. Scope Determination: Examine and verify the full range of products impacted.

  5. Security Advisory Issuance: Assess and disseminate the security vulnerability advisory.

In accordance with the Vulnerability Disclosure Policy, we commit to acknowledge your reported vulnerability within 24 hours (Monday to Friday, 9am to 5pm EST) upon receipt of the initial submission. Once the reported security issue is verified based on its impact, severity, and the complexity of the potential concern, we will assign a Vulnerability Classification level and actions will be determined at that time. We may seek your ongoing assistance in addressing the vulnerability concern during the review and resolution period, up to 90 days, unless otherwise prohibited. Throughout this process, we will provide updates on progress bi-weekly until a resolution is in place. We kindly request that you treat the vulnerability as confidential and refrain from engaging in activities such as unauthorized denial of service attacks, load testing, social engineering, or other undesirable actions until a solution has been implemented.

Report Vulnerabilities

To privately report a suspected security issue to us for one of our networked products, mobile apps, or cloud services, please send your report to marketing@equitybrands.com

You can report the discovered security vulnerabilities through the following:

  • Name/type of affected product/app/service, plus specific model number, serial number, etc.

  • Any Proof of Concept (POC) setup details

  • Description of the steps to reproduce the issue

  • Public references if there are any

Response Time

We’ll respond within 24 hours (Monday to Friday, 9am to 5pm EST) to the vulnerabilities you submit. 

*Note: Actual vulnerability response time may vary depending on the risk level and complexity of the vulnerability. Please check your spam folder if you haven’t heard from us.

Security Support Timeline

Software and security updates are provided for the product for 5 years after product release.

Vulnerability Classification

[Critical]

1. Vulnerabilities of remote direct access to system permissions (server permissions, client permissions, intelligent devices), including but not limited to arbitrary code execution, arbitrary command execution, and uploading and adoption of Trojan horses.

2. Mobile terminal: vulnerabilities of remote code execution.

3. Device terminal: vulnerabilities causing a permanent denial of service on the device, including but not limited to permanent denial of service attack (the device can no longer be used: it is completely permanently damaged, or the entire system needs to be rewritten) initiated remotely by the system device, that physical contact with the device is not allowed during an attack, and that the attack needs to be replicated in batches quickly

[High Risk]

1. Vulnerabilities directly leading to the disclosure of sensitive information of the online server, including but not limited to disclosure of source code of the core system, disclosure of information related to user account payment or the downloading of sensitive log files of the server.

2. Vulnerabilities that affect the normal operation of online services, such as denial of service of the application layer.

3. Logical design defects in the system, which can lead to unauthorized operation, such as unauthorized access to sensitive information.

[Medium Risk]

1. General information disclosure, including but not limited to plaintext storage password of mobile client end, download of source code compressed package containing sensitive information of server or database, etc.

2. Logic design defects of the system, such as bypassing commodity postage, payment vulnerabilities, etc.

[Low Risk]

1. Vulnerabilities that can be exploited for phishing attacks, including but not limited to URL redirection vulnerabilities.

2. Logic design defects of the system.

3. Minor information disclosure vulnerabilities, including but not limited to path disclosure, .git file disclosure, and business log content of the service side.

[Ignored Problems]

1. Bug problems unrelated to security, including but not limited to slow opening of web pages and disordered styles.

2. The report submitted is too simple to be reproduced according to the report content, including but not limited to the vulnerabilities that cannot be reproduced through repeated communication with the vulnerability reviewer.

3. Products, APPs or modules not under maintenance

4. Vulnerabilities of general protocols such as WIFI, MQTT, BLE, and Zigbee