2021.08.09

The MIoTSRC vulnerability handling process is as follows:

1. Vulnerability submission

Log in to the Vulnerability Box account and submit a vulnerability report. Log in to the Vulnerability Box account and submit a vulnerability report. (or directly send security issues to iotsecurity@midea.com).Once the vulnerability is submitted, it cannot be edited and modified, but can only be commented and supplemented. Please make sure that the vulnerability information is correct before submitting it. After successful submission, the vulnerability status is displayed as [Pending Review].

2. Vulnerability Review

The corporate auditor will pre-audit the vulnerabilities as soon as possible within 1 working day (the audit speed of statutory holidays or vulnerability outbreaks will be slowed down, but be finished in 5 working days). Vulnerabilities that fail the preliminary review will be given with the rationality and directly closed or required to add complete information. White hats can add information or comment under the vulnerability. For repeated vulnerabilities in the same time period, the first most complete report shall prevail, and for repeated vulnerabilities in different time periods, the first submission shall prevail. There is no reward for repeated vulnerabilities in MIoTSRC. The status of the vulnerabilities that passed this stage is displayed as [Pending Confirmation].

3. Vulnerability Confirmation

The corporate auditor will confirm the vulnerability as soon as possible within 3 working days (legal holidays are postponed), and the white hat will receive corresponding bonuses and points rewards after the vulnerability is confirmed. If there is an objection to the confirmation level, a vulnerability appeal can be initiated within the 3-day validity period, and the vulnerability box platform will intervene in the negotiation process. The vulnerability status at this stage is displayed as [To be fixed].

4. Vulnerability closed

The company confirms that the vulnerability is fixed and closes the vulnerability. The vulnerability life cycle ends.

statement:

1.Submitting the MIoTSRC vulnerability white hat requires acceptance of the "VULBOX White Hat Registration Agreement" and compliance with the "Vulnerability Box White Hat Code of Conduct". It is strictly forbidden to disclose the vulnerabilities (including directly-closed vulnerabilities) that have been submitted to MIoTSRC in any form without the permission of Midea IoT. Violators will deduct the rewards that have been issued and reserve the right to pursue legal liabilities as the situation seriously.

2. In the process of vulnerability processing, if the vulnerability reporter has new vulnerabilities, disagreements with the handling process, vulnerability grading, vulnerability scoring, etc., please contact us by sending iotsecurity email (iotsecurity@midea.com). Midea's IoT Security Emergency Response Center (MIoTSRC) will deal with it based on the principle of giving priority to the interests of the reporter of the vulnerability, and when necessary, it can bring in external parties to make a joint decision.

3. The vulnerability handling process is applied to all hardware or software products and service supplied by Midea IoT, including cloud platform, App or applet on mobile phone and hardware, software and firmware of household appliances.