Vulnerability Disclosure Policy

1. Introduction

The Cleva vulnerability disclosure policy encourages security researchers and the public to provide feedback and participate in responsible vulnerability research and disclosure. If you believe you have discovered vulnerabilities, exposed data, or other security issues, we invite you to contact us. This policy outlines the steps for reporting vulnerabilities to us and elucidates Cleva's policy on identifying and reporting potential vulnerabilities.

2. Definition

Confidentiality window: If we accept your vulnerability report, our goal is to complete the repair work and release the repair program within 90 days after initial confirmation. If additional information is needed to confirm the vulnerability, we will contact you. If we haven't received a response after 3 attempts, we may close the case, but we still welcome continued vulnerability reports in the future. 

We: In this policy, "we" refers to Cleva and encompasses our brand.

Report a vulnerability: please report vulnerabilities to Cleva via email: firmware.security@cleva.com.cn

Official disclosure channel: communication channel for vulnerability disclosure: https://www.cleva-uk.com/  

 3. Vulnerability Reporting Method

If you discover any security issues while testing or using Cleva products or services, please send detailed information about your findings via email to our official reporting channel（firmware.security@cleva.com.cn). Reporting through other channels may result in delayed responses or neglect.

If possible, please include the following information in the vulnerability report:

•    Specific products or services affected, including any relevant version numbers.

•    Detailed information on the impact of the issue; any information that helps to reproduce or diagnose the problem.

•    If you believe that the vulnerability has been publicly disclosed or is known to a third party. 

4. Our Commitment

When working with us and according to this policy:

1. We currently do not offer or participate in the Permanent Vulnerability Bounty Program. We will not accept bounty payments, promotional materials, or credit requests outside of the security announcement release process.

2. We will preliminarily confirm and provide a tracking number within 5 working days after receiving your vulnerability report.

3. We will send a vulnerability acceptance confirmation within 30 days after the initial confirmation, which will include a suggested deadline for fixing. If we do not accept the report, we will provide our reasons and remain open to new information regarding the report.

Once the reported vulnerabilities are confirmed, our engineers will work to develop appropriate fixes. 

If there are vulnerabilities that cannot be resolved within the 90-day timeline, we will work with you to extend the confidentiality period or provide other suggestions. The solution resolution time may be affected by:

• • The time frame of upstream suppliers being different from ours.
  • If a significant number of architectural changes are required to address this vulnerability.

  • Complex or extended verification requirements caused by low-level firmware changes.

We independently issue safety notices to provide important security information to our customers and the public. If any of the following conditions are met, we encourage you to discover and report vulnerabilities related to our security notices or CVEs (Common Vulnerabilities and Exposures): 

• • The reported vulnerability affects currently supported Cleva products,
  • We make code or configuration changes as a result of the issue,
  • You are the first to report this vulnerability,
  • Your research complies with our responsible disclosure policy, and
  • You agree to confirm the findings as part of the reporting process.

The following models are supported by software updates until December 31st, 2035:

VBRM18AMIDR  
VBRM18AMID2R  
VBRM18AMID4R  
VBRM18AMID8R 

 5. Our Expectations

When participating in our vulnerability disclosure program, you must read, understand, and agree to our Vulnerability Disclosure Policy, including all terms and conditions. Compliance with this policy is required.

If you do not agree with the policy or its terms, please discontinue participation. We will not provide related services to individuals who do not accept the terms.

By continuing to participate, you acknowledge that you fully understand and accept all applicable policies and terms outlined below. 

1. Compliance

• • You must comply with this policy and any other applicable agreements.
  • In the event of a conflict between this policy and other terms, this policy takes precedence.

 2. Timely and Responsible Disclosure

• • Report vulnerabilities as soon as they are discovered.
  • Do not share vulnerability information with anyone outside of Cleva before submitting your report. 

3. Handling of Sensitive Data

If during testing you access Cleva’s proprietary information, customer data, employee data, or other sensitive business-related information, whether intentionally or unintentionally, you must:

• • Not use, store, share, or record this information in any form.
  • Document such access clearly in your vulnerability report.

4. Responsible Testing

During security testing, you must avoid:

• • Violating user privacy.
  • Interrupting production systems.
  • Degrading user experience.
  • Causing any data loss or breach.

 Specifically, you must not:

• • Perform destructive testing (such as Denial of Service).
  • Access or alter unauthorised data.
  • Attack Cleva personnel, assets, data centres, partners, or affiliates.
  • Use social engineering or misrepresent your identity or authority.
  • Violate any applicable laws or agreements to discover loopholes.
  • Conduct research on products/services outside of their supported security lifecycle.

 5. Reporting and Licensing

• • Submit all security reports exclusively through Cleva's official vulnerability reporting process.
  • By submitting a report, you grant Cleva a worldwide, perpetual, royalty-free, non-exclusive license to use your submission to improve our products and services.

6. Confidentiality

• • Do not publicly disclose any vulnerability until Cleva has resolved the issue and published an official security bulletin.
  • You must obtain written permission from Cleva before sharing any vulnerability details externally.

7. Data Access and User Protection

• • If a vulnerability allows access to data, limit access strictly to what is necessary for verification.
  • If you encounter sensitive data (such as personally identifiable information (PII), personal healthcare information (PHI), payment details, or proprietary information), immediately stop testing and report the incident to Cleva.
  • Only interact with test accounts you own or for which you have explicit authorisation from the account holder.