• Tel: +86 12345678912
  • Email: rumculife@163.com

Security Reporting

Govee attaches great importance to the security of its products and services, and is committed to developing safe and reliable products to ensure user privacy protection. At the same time, the security researchers play an important role in protecting Govee products and consumers. we have developed a vulnerability disclosure policy and established a complete vulnerability management process in accordance with standards such as ISO/IEC 30111, ISO/IEC 29147 to improve product security and ensure timely responses when vulnerabilities are discovered.

I. Vulnerability Qualitative Severity Ratings

Govee uses the common industry standard for assessing the severity of suspected security vulnerabilities in products. Using the CVSS (Common Vulnerability Scoring System as an example, this system is composed of three metric groups: Base, Temporal, and Environmental. We also encourage users to assess the actual environmental score based on their network conditions. This score is used as the final vulnerability score in the specific environment to support decision-making on vulnerability mitigation deployment.

Different standards are adopted in different industries. Govee uses the Security Severity Rating (SSR) as a simpler way to classify vulnerabilities. With SSR, we can classify vulnerabilities as critical, high, medium, low, and informational based on the overall severity score.

II. Reporting The Vulnerability Guidelines

If you have discovered an issue that you believe is an in-scope vulnerability, please submit a vulnerability report.

In your report, please include the following details: 

  • The model and version, website, IP or page of the observed vulnerability.
  • A brief description of the vulnerability type, such as: “XSS vulnerability.”
  • Steps to reproduce. These steps should be benign, non-destructive, and proof of concept. This helps to ensure that the report can be and proof of concept. quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

III. Response Time

  1. Govee Security Emergency Response Center staff will confirm the received vulnerability report and follow up to start assessing the problem within 1 working day..
  2. Serious vulnerabilities will be followed up within 24 hours, and a preliminary conclusion and score will be given.
  3. High-risk vulnerabilities will be followed up within 3 working days, and preliminary conclusions and scores will be given.
  4. The remaining vulnerabilities will be followed up and scored within 7 working days. If the reporter thinks it is an emergency, they can send an email to security@govee.com . Expedited processing will be carried out after confirmation by the reviewer.

IV. Vulnerability Disclosure Instructions

Vulnerability management is managed based on the life cycle of product/software versions. Govee will manage the vulnerabilities of all products before the end of service and support (EOS).

To protect our users, Govee will not disclose, discuss, or confirm any security issues until a full investigation has been completed and an update is available. We kindly ask reporting parties to keep vulnerabilities confidential and not share unresolved vulnerabilities with third parties or make them public until Govee provides the related patch solution.

In order to better support customers in patch deployment and risk assessments, Govee will simultaneously publish vulnerability patching status in Software updates . It is recommended that you follow the update prompts to upgrade to a new product/software version or install the latest patches to reduce the risk of vulnerabilities.

Vulnerability Handling Process

1. Vulnerability Submission

– White-hat hackers can submit vulnerabilities through official channels provided by Govee.

– The vulnerability cannot be edited or modified once submitted. Please ensure the accuracy of the submitted information.

2. Vulnerability Review

– Govee Security Team will review the submitted vulnerabilities as soon as possible, typically within 1 working day.

– During holidays or periods of high vulnerability submission, the review process may take longer but is generally completed within 5 working days.

3. Vulnerability Rewards

– White-hat hackers who submit vulnerabilities approved by Govee will receive rewards such as Govee products, Points, or G coins.

– For identical vulnerabilities submitted by different white-hat hackers, Govee will not provide duplicate rewards:

a. If the same vulnerability is submitted at the same time, the reward will be given to the white-hat hacker with the most comprehensive report.

b. If the same vulnerability is submitted at different times, the reward will be given to the white-hat hacker who submitted it first.

4. Vulnerability Closure

– Govee will confirm, fix the vulnerability, and close its lifecycle.

Disclaimer:

White-hat hackers should submit vulnerabilities in compliance with applicable laws and regulations. Without prior permission from Govee, white-hat hackers must not disclose, attack, or abuse the discovered vulnerabilities to any third party outside of Govee. Violators will be held legally responsible.