70Mai is committed to developing products and services that adhere to the highest security standards in order to protect our customers and their data. We welcome information about potential security vulnerabilities from security researchers, academics, and others in the wider security community.
70Mai's security team is ready to work with those who bring such vulnerabilities to its attention and strives to acknowledge all relevant submissions.
Researchers and users can report security vulnerability or bugs to 70Mai, through https://www.70mai.com/contact-us/ or send email to firstname.lastname@example.org.
Security incident response plan is as follows:
1. Dedicated customer service team will daily monitor the information on contact-us website and report to 70Mai’s security team if security related post is found. Meanwhile, security team will monitor email@example.com every day.
2. Security team determines the severity of the incident and inform the PM (program manager)
3.In scoring or rating vulnerabilities, 70mai follows standard industry best practices to designate the vulnerability’s potential impact as High, Medium or Low.
4. Steps as following will be done according to the severity of incident:
a) High: PM immediately holds meeting with HEAD of engineering, security team and related engineers. Fix plan shall be made in the meeting. Fix to the cloud will be started immediately. App and firmware will be fixed as soon as possible and OTA will be pushed to users by the time shown in the above table.
b) Medium: PM holds meeting with security team and related engineers. Fix plan shall be made in the meeting. And fix/OTA will be done by the time shown in the above table.
c) Low: PM will discuss with security team and related engineers and make fix plan. Corresponding fix/OTA will be done by the time shown in the above table.Security team will notify firstname.lastname@example.org about all above incident within 24 hours, an initial report including incident description and severity will be attached in the mail. Another report including problem solving plan and corresponding release/OTA schedule will be sent to email@example.com as soon as possible.
In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability, though there may be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.
Information included in Release Notes related to security updates will reference either the CVE or the internal tracking number. Both are included in our published security advisories as applicable. When 70mai believes it is in the customer’s best interest to update as soon as possible, the remediation may be released ahead of the security advisory. Once the advisory has been published, information about the vulnerability can be found by referencing the tracking number from the release notes.
Information included in Release Notes related to open source vulnerability remediation will include published CVEs.
70mai does not publish security advisories for open source vulnerabilities.
If additional information on the vulnerability is available, the advisory will provide links as a reference. This includes links to the CVE or blog or article citations.
Typically, we look to acknowledge the researcher or finder of the vulnerability and, with their permission, will provide them with a credit.
When updates are made to an advisory, the revision history will show what was updated and when.
We make the best effort possible to resolve vulnerabilities in supported products as quickly as possible. However, no guaranteed level of response applies for any specific issue or class of issues due to factors such as fix complexity, quality testing, embargoes, and cross-vendor coordination.
Subscribe to our newsletter:
Please enter a valid email address.