Vulnerability Disclosure Policy

Vulnerability Disclosure Policy – Spiio Inc.

1. Commitment to Security

Spiio Inc. is deeply committed to maintaining the security of our wireless IoT devices, online services, websites, applications, and all associated systems. The security of our users’ data and their privacy are of utmost importance to us, and we continuously strive to ensure a safe and reliable experience across our product ecosystem. We recognize that the security research community plays a vital role in helping us achieve this goal by identifying potential vulnerabilities that may exist within our devices and infrastructure. We greatly value the time and effort taken by individuals who responsibly investigate and report security issues to us, and we are dedicated to working collaboratively with them to address any findings in a timely and effective manner. This Vulnerability Disclosure Policy outlines our commitment to this collaboration and provides clear guidelines for how security vulnerabilities can be reported to us. By establishing this policy, we aim to foster a relationship of trust and transparency with the security research community, recognizing that their contributions are invaluable in our ongoing efforts to enhance the security of our products and services.

2. Scope of this Policy

This Vulnerability Disclosure Policy applies to the following systems, devices, websites, applications, and services owned or controlled by Spiio Inc.:

  • Spiio wireless IoT devices, including their firmware and embedded software.

  • Our main website and all its subdomains.

  • All publicly accessible web applications, APIs, and cloud services hosted under our primary domain that directly support our IoT devices.

  • Any publicly available mobile applications developed and released by us for managing or interacting with our IoT devices.

The types of vulnerabilities considered within the scope of this policy include, but are not limited to:

  • Cross-Site Scripting (XSS) in web or mobile applications.

  • SQL Injection in cloud or API systems.

  • Authentication or authorization flaws across devices, apps, or services.

  • Server-Side Request Forgery (SSRF) in cloud infrastructure.

  • Remote Code Execution (RCE) on devices or servers.

  • Insecure Direct Object References (IDOR) in apps or APIs.

  • Significant security misconfigurations in devices, firmware, or services.

  • Vulnerabilities in wireless communication protocols (e.g., Cellular, Wi-Fi, Bluetooth) implemented by Spiio Inc.

The following reports and activities are considered outside the scope of this policy:

  • Reports on non-exploitable vulnerabilities or issues indicating that devices or services do not fully align with “best practice” (e.g., missing security headers, SPF/DKIM records, cookie flags).

  • Reports detailing TLS/SSL configuration weaknesses (e.g., weak cipher suites, presence of older TLS versions) unless they directly enable device compromise.

  • Reports of denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks, including network jamming or flooding.

  • Any action compromising or degrading the performance and quality of our production systems, including penetration testing or simulating DoS attacks.

  • Social engineering, phishing, or physical security testing not involving device firmware or software.

  • Physical hardware vulnerabilities requiring destructive testing (e.g., chip decapsulation, side-channel attacks) unless explicitly authorized by Spiio Inc.

  • Vulnerabilities in third-party hardware components (e.g., chipsets) or protocols not controlled by Spiio Inc., unless they are uniquely exploitable due to our implementation.

  • Informational reports or speculation without clear proof of concept.

  • Vulnerabilities that have already been publicly disclosed or are known to us.

  • Clickjacking and issues related to Content Security Policy (CSP) without a demonstrable security impact.

It is important to note that while we appreciate all efforts to improve our security, focusing on vulnerabilities with a direct and demonstrable security impact on our IoT devices and supporting systems allows us to allocate our resources most effectively. Researchers testing physical devices must own or have legal access to the device and must not cause permanent damage.

3. How to Report a Vulnerability

If you believe you have discovered a security vulnerability within the scope of this policy, we encourage you to report it to us promptly. We prefer that vulnerability reports are submitted to our dedicated security team via email at contact@spiio.com.

Please ensure that your report includes the following information to help us effectively triage and investigate the issue:

  • Affected System or Device: Clearly indicate the specific device (including model), website, IP address, or application where the vulnerability can be observed.

  • Firmware Version: If applicable, provide the firmware version running on the IoT device at the time of discovery.

  • Vulnerability Description: Provide a concise description of the type of vulnerability (e.g., buffer overflow in firmware, XSS in app).

  • Steps to Reproduce: Offer detailed, step-by-step instructions that will allow our security team to reproduce the vulnerability. Please ensure these steps are benign and non-destructive, serving as a clear proof of concept.

  • Technical Details: Include any relevant technical details such as the browser, operating system, network conditions, or tools used during testing, as well as any error messages or relevant code snippets.

  • Potential Impact: If you understand the potential impact of the vulnerability (e.g., device takeover, data leakage), please include a brief explanation.

We also encourage you to include any supporting evidence, such as screenshots, screen recordings, packet captures, or proof-of-concept code, that can help us understand and verify the vulnerability more quickly. The more detailed and well-documented your report, the more efficiently we can address the issue, especially for IoT-specific vulnerabilities requiring firmware or hardware context.

4. Our Expectations from Security Researchers (Guidance)

Spiio Inc. values the contributions of security researchers who help us improve the security of our wireless IoT devices and ecosystem. To ensure responsible and ethical research practices, we ask that you adhere to the following guidelines:

Permitted Actions:

  • Conduct research in good faith with the intention of improving security, using a Spiio device you own or have legal access to.

  • Notify us as soon as possible after discovering a real or potential security issue in our devices, firmware, or supporting systems.

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems or networks, and destruction or manipulation of data.

  • Use exploits only to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or pivot to other systems or devices.

  • Provide us with a reasonable amount of time to resolve the issue—typically 90 days for firmware updates—before you disclose it publicly.

  • Securely delete all data retrieved during your research as soon as it is no longer required or within one month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Prohibited Actions:

  • Break any applicable law or regulations, including those related to wireless communications (e.g., FCC rules).

  • Access unnecessary, excessive, or significant amounts of data from devices or systems.

  • Modify data in our devices, systems, or services, including firmware tampering beyond proof-of-concept testing.

  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities, including tools that could damage device hardware.

  • Attempt or report any action compromising or degrading the performance and quality of our production systems, including denial of service (DoS) attacks, penetration testing, network jamming or flooding that disrupts device connectivity.

  • Disrupt our devices, services, or supporting networks.

  • Submit reports detailing non-exploitable vulnerabilities or reports indicating that devices or services do not fully align with “best practice”.

  • Submit reports detailing TLS configuration weaknesses unless they directly enable device compromise.

  • Communicate any vulnerabilities or associated details other than by means described in this policy or with anyone other than our designated security contact.

  • Social engineer, ‘phish’, or physically attack our staff or infrastructure.

  • Demand financial compensation in order to disclose any vulnerabilities.

  • Violate the privacy of our users, staff, contractors, devices, services, or systems.

Permitted Actions vs. Prohibited Actions Table:

Permitted Actions

Prohibited Actions

Conduct research in good faith with the intention of improving security, using a Spiio device you own or have legal access to

Break any applicable law or regulations, including those related to wireless communications (e.g., FCC rules)

Notify us as soon as possible after discovering a real or potential security issue in our devices, firmware, or supporting systems

Access unnecessary, excessive, or significant amounts of data from devices or systems

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems or networks, and destruction or manipulation of data

Modify data in our devices, systems, or services, including firmware tampering beyond proof-of-concept testing

Use exploits only to the extent necessary to confirm a vulnerability’s presence

Use high-intensity invasive or destructive scanning tools to find vulnerabilities, including tools that could damage device hardware

Provide us with a reasonable amount of time to resolve the issue—typically 90 days for firmware updates—before you disclose it publicly

Attempt or report any action compromising or degrading the performance and quality of our production systems, including denial of service (DoS) attacks, penetration testing, network jamming or flooding that disrupts device connectivity.

Securely delete all data retrieved during your research as soon as it is no longer required or within one month of the vulnerability being resolved

Disrupt our devices, services, or supporting networks

Provide sufficient details to reproduce the vulnerability

Submit reports detailing non-exploitable vulnerabilities or reports indicating that devices or services do not fully align with “best practice”


Submit reports detailing TLS configuration weaknesses unless they directly enable device compromise


Communicate any vulnerabilities or associated details other than by means described in this policy or with anyone other than our designated security contact


Social engineer, ‘phish’, or physically attack our staff or infrastructure


Demand financial compensation in order to disclose any vulnerabilities


Violate the privacy of our users, staff, contractors, devices, services, or systems


5. What Happens After You Report a Vulnerability (Our Process)

Once you submit a vulnerability report to contact@spiio.com, you can expect the following process:

  • Acknowledgement: We will acknowledge receipt of your vulnerability report, typically within 5 working days.

  • Triage: Our security team will triage the reported vulnerability to assess its validity, severity, and potential impact on our devices or systems. We aim to complete the initial triage within 10 working days of receiving your report.

  • Communication: We will aim to keep you informed of our progress during the investigation and remediation process. This may involve asking for further clarification (e.g., firmware version, device model) or providing updates on our findings.

  • Prioritization: The priority for remediating reported vulnerabilities will be assessed based on factors such as the potential impact, severity, and exploitability, with critical device vulnerabilities taking precedence.

  • Remediation: We will work to address and resolve the confirmed vulnerability in a timely manner. For firmware-related issues, this may involve developing and deploying an over-the-air (OTA) update, with timeframes varying based on complexity and severity.

  • Notification: Once the reported vulnerability has been remediated, we will notify you. In some cases, we may invite you to re-test the fix (e.g., on an updated device) to confirm its effectiveness.

We appreciate your patience and cooperation throughout this process, especially for IoT vulnerabilities that may require firmware updates. Clear communication and timely updates are important to us, and we strive to keep reporters informed of our progress.

6. Legalities and Our Commitment to Researchers

Spiio Inc. recognizes the importance of legal clarity in the context of vulnerability disclosure for our wireless IoT devices and systems. This policy is designed to be compatible with common vulnerability disclosure good practice and operates within the framework of applicable laws and regulations, including those governing wireless communications.

We commit not to initiate legal action against security researchers who report vulnerabilities in good faith and in compliance with this policy. We consider ethical hacking research conducted consistent with this policy—including non-destructive testing of our IoT devices—to be authorized under relevant laws. Our intention is to foster a collaborative environment where security researchers feel comfortable reporting potential vulnerabilities without fear of legal repercussions for accidental, good-faith violations. Furthermore, if legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with and with our approval.

However, it is important to reiterate that while this policy outlines our commitment, researchers are still expected to comply with all applicable laws and regulations, including those related to wireless devices and networks. This policy does not provide permission to act in any manner that is inconsistent with the law.

7. Public Disclosure of Vulnerabilities

Spiio Inc. believes in the importance of responsible disclosure and coordinated release of information about security vulnerabilities affecting our IoT devices and systems. We prefer to coordinate any public disclosure of a reported vulnerability with the security researcher who identified it.

We request that you refrain from publicly disclosing any discovered vulnerabilities until we have had a reasonable amount of time to investigate, develop, and deploy a fix—typically 90 days for firmware updates, though this may vary depending on the complexity and severity of the issue. Once a vulnerability has been addressed, we may publish a security advisory or release notes detailing the issue and the corresponding fix, such as an OTA update for affected devices. We may also consider publicly acknowledging researchers who have responsibly disclosed vulnerabilities, provided they consent to such acknowledgement. We will coordinate with the reporter regarding the timing and content of any public disclosure to ensure accuracy and consistency.

8. Contact Information

Security researchers can submit vulnerability reports via email at:

contact@spiio.com

We encourage you to use this dedicated channel for all vulnerability-related communications. We also intend to publish a security.txt file in the /.well-known/ directory of our domain, which will contain a link to this Vulnerability Disclosure Policy and the aforementioned contact information. This standardized approach ensures that security researchers can easily find the necessary information to report vulnerabilities responsibly.