Vulnerability Disclosure Policy

As a provider of security products we take security issues very seriously and recognize the importance of privacy and data security. We are committed to addressing and reporting security issues to protect users. Whether you’re a user of eufy security products, a software developer, or simply a security researcher, you’re an important part of this process.

How To Report Security Issues: 

If you believe you have discovered a vulnerability in a eufy Security product or have a security incident to report, please fill out the vulnerability report form.

When we receive a vulnerability report, eufy takes a series of steps to address the issue internally, referring to ISO/IEC 30111. All reported vulnerabilities are scored according to the Common Vulnerability Scoring System 3.1 (CVSS) standard.

Step 1: eufy requests the reporter provide confidential detailed information of the vulnerability.

Step 2: eufy investigates and verifies the vulnerability.

Step 3: eufy fixes the vulnerability and verifies the fix across eufy Security product lines.

Step 4: eufy releases an OTA (over the air) update to the eufy Security product.

Step 5: eufy monitors the stability of the eufy security product after the update.

Report receipt will be confirmed within 1 business day and a preliminary assessment will take place. Within 3 business days assessments will be complete and the vulnerability will be fixed or will have a remediation plan in place.

Critical risk vulnerabilities will be fixed within 3 business days.

High and medium risk vulnerabilities will be fixed within 30 business days.

Low risk vulnerabilities will be fixed within 180 business days.

Note, some vulnerabilities are subject to environment or hardware restrictions. Final remediation time will be determined according to the real-world situation.

We greatly appreciate anyone who can give us a chance to improve our products and services, and better protect our users. 

Thank you for working with us through the above process.