Welcome to eufy Vulnerability Management Program !

Vulnerability Management Program

As a security product provider, we take users' privacy and data security very seriously. We will regularly check and track the vulnerabilities on eufy products and the status of public open-source components or components from component vendors and third-party vendors.

In addition to our efforts, we also hope that more people will participate. Whether you are a user of eufy products, a software developer, or a security researcher, you are an essential part of this program.

If you have discovered a vulnerability in an eufy product or have a security incident to report, please share your discovery with us.

Your discovery will be acknowledged and assessed promptly. Once vulnerabilities are confirmed, a remediation plan will be formulated.

Writing Guidelines

A high-quality vulnerability report is great to help us confirm and address an issue more quickly, and could help you receive an eufy Security Bounty reward.
A complete report includes:

A detailed description of the issue(s) and the behavior you observed, as well as the behavior that you expected
A numbered list of steps required to reproduce the issue
A reliable exploit for the issue you are reporting
Details of any related issues or variants

Eufy strongly recommends including a working exploit, rather than a basic proof of concept. We accept reports without this information, but reports with more details typically receive higher bounty rewards. If your report doesn't include the necessary information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it for a bounty. In addition, you must meet the following requirements:

You must be the first party to report the issue directly to eufy Product Security on the web or by email.
Your report must be clear and detailed and must include a reliable way to reproduce the issue, such as a working exploit.
You must not disclose the issue publicly before eufy releases an update with a security advisory for the report.

How to submit your research

If you believe you have discovered a security vulnerability that affects eufy devices, software, services, or eufy-owned web servers, please report it to us.
Anyone can submit a report, including security researchers, developers, and customers.
We make it a priority to resolve security and privacy issues as quickly as possible. Please note that for the protection of our customers, eufy doesn't disclose or confirm security issues until our investigation is complete and any necessary updates are generally available.
Alternatively, you can email your report to Data_Security_and_Privacy_Committee@anker-in.com.
Please note that if you submit your report via email, you will not be able to track progress online.

If you want to directly interact with the eufy security team regarding the discovered vulnerability, please submit the following information before proceeding.

title*

Type*

Web Vul

Mobile Vul

IOT Vul

Subtype*

Information leak vulnerability

Logical vulnerability

Upload vulnerability

Code execution vulnerability

SQL injection vulnerability

CSRF vulnerability

XSS vulnerability

Verification Code vulnerability

Collision vulnerability

Invasion event

Code leakage

Others

E-mail*

Description*

Upload(doc, docs, pdf, 7z, rar, zip, gz, jpg, png, Maximux 8MB)

Submit

Additionally，If you are a white hat hacker and have registered on the HackerOne platform, you can click here to submit directly.

Submit report

Rewards and Response targets

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Anker. Typical bug bounty rewards range from $100 to $8000, depending on their severity and asset tier. Submitted reports must be related to the ‘eufy’ brand. We reserve the right to accept and review any security report, including out of scope issues. This will be true regardless of the severity of vulnerability.

Low

$100-$150

Medium

$300-$500

High

$800-$1200

Critical

$2000-$8000

Eufy will make the best efforts to meet the following response targets for hackers participating in our program, and eufy will make the best efforts to keep you informed throughout the process.

Type of Response

SLA in Business days

First Response

2 days

Time to Triage

7 days

Time to Bounty

10 days

Time to Resolution

depends on severity and complexity

Contacting the eufy Security Team

If you require any clarifications regarding the scope of the program (e.g., potential eufy's user data leaking in one of our third-party vendors) or face specific challenges when testing, you may email the eufy team at Data_Security_and_Privacy_Committee@anker-in.com. However, please do not escalate questions about the validity or bounties of your existing reports. Such emails will not be responded to and discussions should be done within the report itself. If you are unsure about a potential vulnerability, please submit the report to us and we will assess it accordingly.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.