VULNERABILITY DISCLOSURE POLICY

OUR PROMISE
Here at BroadLink, we take pride in being the pioneer of smart home solutions and is committed to our customers by ensuring the security of our products. BroadLink will continue to leverage its advantages in smart home solutions and bring more innovative and affordable products to our valued users. At the same time, we will be watching out closely for security vulnerabilities to safeguard our products against it. BroadLink recognises that fostering a close relationship with the community will help us improve our own security. So, if you have information about a vulnerability in our products, we want to hear from you.
GUIDELINES
• Act responsibly for the sole purpose of reporting suspected vulnerabilities and safeguarding users from damage, harm or loss.
• Avoid causing any kind of damage, harm or loss to individuals or organisations (e.g. you should not attempt to test, reproduce or verify the suspected vulnerability, or take any action which may cause interruption or degradation of any products/services).
• Conduct yourself in accordance with applicable laws and regulations at all times. If you have any doubt about such laws or regulations, please seek and obtain professional legal advice. Under no circum stances should you attempt to exfiltrate any computer data or publish details of any suspected vulnerability.
• Do not publish or publicly disclose any suspected vulnerability to any third party before it is resolved as malicious actors may exploit the suspected vulnerability to cause damage harm or loss to individuals and organisations.
• Do not deploy destructive, disruptive or other unlawful means to detect vulnerabilities (e.g. attacks on physical security, social engineering, denial of service, brute force attacks).
• Do not exploit, test or otherwise use any suspected vulnerability (e.g. taking any step(s) to access, copy, create, delete, modify, manipulate or download any data or program, build system backdoor(s), modify system configuration(s), facilitate or share system access).
If you are in any doubt about any proposed course of conduct, please contact us immediately at support@ibroadlink.com
REPORTING A VULNERABILITY
• Upon detection of a suspected vulnerability, notify us immediately or as soon as practicable by submitting a report to us at support@ibroadlink.com
• Where applicable, provide your name, email, and mobile number in the suspected vulnerability report so that we may contact you for clarifications. Include the name(s) and email(s) of the other person(s) to whom you may have disclosed the suspected vulnerability. By submitting the vulnerability report, it is deemed that you have given permission for our team to contact you for further information, if necessary.
• Non-marketing Communication
We process your personal data to send you important information regarding the Services, changes to our terms, conditions, and policies and/or other administrative information. Because this information may be important, you may not opt-out of receiving such communications. The legal basis for this processing is to perform our contract with you according to our Terms of Use.
• Provide adequate information in the suspected vulnerability report so that we may work with you on validating the suspected vulnerability, including these details (where available):
  ① Product name & model (including serial number);
  ② Product firmware version;
  ③ App name and version;
  ④ Host Operating System (iOS or Android);
  ⑤ Server of the user (Country where user is from);
  ⑥ Description of the suspected vulnerability;
  ⑦ Description of the circumstances, including date(s) and time(s), leading to your reporting of the suspected vulnerability;
  ⑧ Description of the reason(s) why you believe the suspected vulnerability may impact the subject and the extend of such suspected potential impact (is the vulnerability high/medium/low risk).
AFTER REPORTING A VULNERABILITY
• Upon receiving the report, we will Acknowledge receipt of your suspected vulnerability report generally within 7 business days.
• Work with you to resolve any validated vulnerability generally within 90 business days from our receipt of your report.
• Provide regular status updates on the issue until a resolution is completed.
• Update you when the reported vulnerability is resolved.