Security

Cozyla coordinated vulnerability disclosure statement

Last updated: 28 Aug 2024

Cozyla is committed to ensuring the security of customers who use our products and services.

 

Security Strategy

Since vulnerability information is relatively sensitive, we strongly recommend that when reporting a potential security vulnerability to Cozyla, please use our public PGP key for encryption and submit technical details.

 

Cozyla PGP Public Key File

  1. Please use our PGP public key to encrypt any email submissions to us at security@cozyla.com.
  2. Please provide us with your sufficient contact information, such as your organization and contact name so that we can get in touch with you.
  3. Please provide a technical description of the concern or vulnerability.

Please provide information on which specific product you tested, including product name and version number.

  1. To help us to verify the issue, please provide any additional information, including details on the tools used to conduct the testing and any relevant test configurations.

 

Software maintenance update strategy

When any vulnerability is identified, update the firmware as follows:

  1. Vulnerabilities identified by users, etc.
  2. Verify the reported vulnerability.
  3. Work on a resolution by security technology manager and software engineer.
  4. Perform QA/validation testing on the resolution.
  5. If Google authentication is required, the relevant components will be submitted to Google's authorized third-party certification laboratory for testing and approval.
  6. Deliver the resolution by OTA.

 

Response Time

Upon receiving a vulnerability report, we will acknowledge receipt and provide a response notice within approximately 7 business days. This includes confirmation of the issue and any initial feedback. Progress updates regarding the development and deployment of the fix will be communicated via email as promptly as possible.

Once a vulnerability has been verified, we will disclose detailed information about the issue and its corresponding resolution according to the following timeline:

1. Critical vulnerabilities to be fixed within 30 days;
2. High vulnerabilities to be fixed within 60 days;
3. Medium vulnerabilities to be fixed within 90 days;
4. Low vulnerabilities to be fixed within more days.

 

Notes

Our products receive regular security updates to ensure continuous protection. The predefined support period for security updates ends one year after the product reaches End of Life (EOL). The product's release date can be found on the product packaging.

 

Security response plan

If security incident arises, the incident must be treated as the highest priority urgent. CEO and CTO must be aware of this incident and participate in incident handling. If the incident is a software maintenance issue, then it will be handled according to the process of the “Software maintenance update strategy” in this page. A meeting should be held immediately. The meeting needs to collect information, clarify the situation of the accident, and estimated timelines for remediation of an incident.

 

Notice

In case you decide to share any information with Cozyla, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Cozyla is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Cozyla.

1-Year Warranty

For peace of mind we offer a manufacturer’s warranty on all our products.

Customer Service

Message us and one of our customer service experts will help you out.

30-Day Free Trial

We offer a 30-day money-back guarantee.

Secure Payment

All payments are processed securely.