Disclosure Policy

Sengled Publication of Vulnerability Disclosure Policy

SECTION 1: DEFINITIONS

1.1  SECURITY FLAW: A security flaw is defined as an unintended design flaw in the product firmware, app, cloud, hardware, or process, whereby a third-party is able to gain illegal access to confidential information belonging to another user or users, either through exploiting a hitherto undiscovered security hole, reverse engineering, illegal access to the server systems, malicious hacking, phishing, or other activities not associated with the normal operation of the product.

1.2  SECURITY INCIDENT: A security incident is defined as a situation whereby Sengled is made aware of a security flaw or security flaws by a member of its own organization, its customers, a concerned and well-meaning third-party, a malicious third-party with intentions to cause harm to Sengled and its users, or public disclosure.  Sengled reserves the right to investigate and confirm the nature of the situation, before a security incident is confirmed and reported.

1.3  CRITICAL SECURITY FLAW: A security flaw exhibiting all three of these characteristics: publicly known, affecting significant number of users, and significant consequences to the user’s information security.

1.4  SEVERE SECURITY FLAW: A security flaw exhibiting two of these three characteristics: publicly known, affecting significant number of users, and significant consequences to the user’s information security.

1.5  MEDIUM LEVEL SECURITY FLAW: A security flaw exhibiting one of these three characteristics: publicly known, affecting significant number of users, and significant consequences to the user’s information security.

1.6  LOW LEVEL SECURITY FLAW: A security flaw exhibiting none of these three characteristics but nonetheless exhibits potential for these characteristics: publicly known, affecting significant number of users, and significant consequences to the user’s information security.

1.7  SECURITY RESPONSE TEAM: The Sengled Security Incident Rapid Response Team (SSIRRT) is composed of the top leaders in Quality Engineering, Global Product Management, Software Development, Hardware & Firmware Development, and the Market Leader(s) of the affected market(s).  The purpose of the SSIRRT is to protect the information of our users and address the underlying security flaw with immediate urgency and the necessary resources.

 

SECTION 2: INTERNAL INCIDENT RESPONSE PLAN

2.1  Once a security incident is reported to Sengled either through the security incident report form on the official website, security@sengled.com, or other reputable channels, the SSIRRT will immediately determine the severity of the security incident, using criteria identified in in sections 1.3, 1.4, 1.5, and 1.6.

2.2  Quality Engineering will work with appropriate internal stakeholders to reproduce the security flaw.  Based on the severity, Sengled will attempt to reproduce the behavior in a lab environment, identify the root cause, and implement the fix with all necessary resources allocated.

2.3  Sengled will validate the security fix and execute full regression testing to ensure issues are fixed and all functions work as expected.

2.4  Sengled will implement and release the software or firmware update based on Sengled’s Software Maintenance update strategy.

2.5  Based on the security flaw’s severity and at the SSIRRT’s discretion, Sengled will publish the security fix on Sengled’s official website.

 

SECTION 3: REPORTING TO CUSTOMERS

3.1  Sengled will update the status and ETA of the resolution in official channel until the resolution of the reported security flaw.

3.2  Sengled shall inform its customers of a publicly-known CRITICAL security flaw within 3 days of being made aware of the incident, provided that a mitigation plan is in place.

3.3  Sengled shall inform its customers of a publicly-known SEVERE security flaw within 4 days of being made aware of the incident, provided that a mitigation plan is in place.

3.4  Sengled shall inform its customers at its own discretion of a publicly-known MEDIUM LEVEL security flaw within 5 days of being made aware of the incident, provided that a fix is in place.