Govee attaches great importance to the security of its products and services, and is committed to developing safe and reliable products to ensure user privacy protection. At the same time, the security researchers play an important role in protecting Govee products and consumers. we have developed a vulnerability disclosure policy and established a complete vulnerability management process in accordance with standards such as ISO/IEC 30111, ISO/IEC 29147 to improve product security and ensure timely responses when vulnerabilities are discovered.

Govee uses the common industry standard for assessing the severity of suspected security vulnerabilities in products. Using the CVSS (Common Vulnerability Scoring System as an example, this system is composed of three metric groups: Base, Temporal, and Environmental. We also encourage users to assess the actual environmental score based on their network conditions. This score is used as the final vulnerability score in the specific environment to support decision-making on vulnerability mitigation deployment.

Different standards are adopted in different industries. Govee uses the Security Severity Rating (SSR) as a simpler way to classify vulnerabilities. With SSR, we can classify vulnerabilities as critical, high, medium, low, and informational based on the overall severity score.

If you have discovered an issue that you believe is an in-scope vulnerability, please submit a vulnerability report.

In your report, please include the following details: * The model and version, website, IP or page of the observed vulnerability. * A brief description of the vulnerability type, such as: "XSS vulnerability." * Steps to reproduce. These steps should be benign, non-destructive, and proof of concept. This helps to ensure that the report can be and proof of concept. quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

1) Govee Security Emergency Response Center staff will confirm the received vulnerability report and follow up to start assessing the problem within 1 working day..
2) Serious vulnerabilities will be followed up within 24 hours, and a preliminary conclusion and score will be given.
3) High-risk vulnerabilities will be followed up within 3 working days, and preliminary conclusions and scores will be given.
4) The remaining vulnerabilities will be followed up and scored within 7 working days. If the reporter thinks it is an emergency, they can send an email to security@govee.com. Expedited processing will be carried out after confirmation by the reviewer.

Vulnerability management is managed based on the life cycle of product/software versions. Govee will manage the vulnerabilities of all products before the end of service and support (EOS).

To protect our users, Govee will not disclose, discuss, or confirm any security issues until a full investigation has been completed and an update is available. We kindly ask reporting parties to keep vulnerabilities confidential and not share unresolved vulnerabilities with third parties or make them public until Govee provides the related patch solution.

In order to better support customers in patch deployment and risk assessments, Govee will simultaneously publish vulnerability patching status in Software updates . It is recommended that you follow the update prompts to upgrade to a new product/software version or install the latest patches to reduce the risk of vulnerabilities.