XGIMI Vulnerability Disclosure Policy
XGIMI collects information on security vulnerabilities in products and services (the "Products"), investigates their impact, and discloses information as necessary to ensure that customers can use Products with confidence.
1. Application
This policy applies to all vulnerabilities reported to XGIMI. Customers are requested to carefully read and comply with this policy before reporting vulnerabilities.
2. How to report vulnerabilities
If you discover a new vulnerability (undisclosed vulnerability) for your product, please email service-uk@xgimi.com.
3. The process after a vulnerability report
After sending the email report, the reporter will receive a confirmation receipt from us within 7 days, starting from the day after the report is sent. If we have more questions, we may contact the reporter for further information.
When we receive a vulnerability report, we take a series of steps to address the issue internally, referring to ETSI/EN 303 645:
Step 1: XGIMI requests detailed, confidential information regarding the vulnerability from the reporter.
Step 2: XGIMI investigates and validates the vulnerability.
Step 3: XGIMI rectifies the vulnerability and ensures the fix is applied across all XGIMI product lines.
Step 4: XGIMI issues an OTA (over-the-air) update to the affected XGIMI product.
Step 5: XGIMI monitors the stability of the product after the update.
The received vulnerabilities are checked by the XGIMI technical team. Depending on the complexity of the reported vulnerabilities, XGIMI will fix them as soon as possible, not exceeding 180 days (6 months).
If it is deemed necessary to inform customers other than the reporter, the security advisory will be posted on the XGIMI website as soon as the information can be disclosed so that users can implement appropriate measures.
4. Prohibitions against the reporter
With regard to the disclosure of vulnerabilities, the reporter must not disclose vulnerability-related information to third parties without a valid reason.
However, if you need to disclose vulnerability-related information for legitimate reasons, please consult XGIMI in advance.
When vulnerabilities are discovered and verified, please avoid the following when searching for and verifying vulnerabilities:
a. Violating applicable laws and regulations
b. Accessing unnecessary, excessive, or voluminous data
c. Altering data on XGIMI systems or services
d. Using high-intensity invasive or destructive scanning tools to discover vulnerabilities
e. Attempting or reporting any form of denial of service, such as overwhelming our services with a high volume of requests
f. Interfering with our services or systems
XGIMI deeply appreciates everyone who contributes to enhancing our products and services, thereby bolstering user protection.