70mai Vulnerability Disclosure Policy

70mai is committed to developing products and services that adhere to the highest security standards in order to protect our customers and their data. We welcome information about potential security vulnerabilities from security researchers, academics, and others in the wider security community.

70mai's security team is ready to work with those who bring such vulnerabilities to its attention and strives to acknowledge all relevant submissions.

When to contact the Product Security Incident Response Team

Researchers and users can report security vulnerability or bugs to 70mai, through https://www.70mai.com/contact-us/ or send email to security@70mai.com.

Incident Response Plan

Security incident response plan is as follows:

1. Dedicated customer service team will daily monitor the information on contact-us website and report to 70mai’s security team if security related post is found. Meanwhile, security team will monitor security@70mai.com every day.

2. Security team determines the severity of the incident and inform the PM (program manager)

3.In scoring or rating vulnerabilities, 70mai follows standard industry best practices to designate the vulnerability’s potential impact as High, Medium or Low.

4. Steps as following will be done according to the severity of incident:
a) High: PM immediately holds meeting with HEAD of engineering, security team and related engineers. Fix plan shall be made in the meeting. Fix to the cloud will be started immediately. App and firmware will be fixed as soon as possible and OTA will be pushed to users by the time shown in the above table.
b) Medium: PM holds meeting with security team and related engineers. Fix plan shall be made in the meeting. And fix/OTA will be done by the time shown in the above table.
c) Low: PM will discuss with security team and related engineers and make fix plan. Corresponding fix/OTA will be done by the time shown in the above table.Security team will notify avs-security@amazon.com about all above incident within 24 hours, an initial report including incident description and severity will be attached in the mail. Another report including problem solving plan and corresponding release/OTA schedule will be sent to avs-security@amazon.com as soon as possible.

Receiving security information from 70mai

Security Advisories

In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability, though there may be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.

Release Notes (readme or change history)

Information included in Release Notes related to security updates will reference either the CVE or the internal tracking number. Both are included in our published security advisories as applicable. When 70mai believes it is in the customer’s best interest to update as soon as possible, the remediation may be released ahead of the security advisory. Once the advisory has been published, information about the vulnerability can be found by referencing the tracking number from the release notes.

Information included in Release Notes related to open source vulnerability remediation will include published CVEs.

70mai does not publish security advisories for open source vulnerabilities.

References

If additional information on the vulnerability is available, the advisory will provide links as a reference. This includes links to the CVE or blog or article citations.

Acknowledgement

Typically, we look to acknowledge the researcher or finder of the vulnerability and, with their permission, will provide them with a credit.

Revision History

When updates are made to an advisory, the revision history will show what was updated and when.

We make the best effort possible to resolve vulnerabilities in supported products as quickly as possible. However, no guaranteed level of response applies for any specific issue or class of issues due to factors such as fix complexity, quality testing, embargoes, and cross-vendor coordination.