Information on How to Report Security Issues

Protecting our customers from threats to their security is always an important task for CHEF iQ. As a key player in global Networking and Smart Home markets, we will do our utmost to provide our users with secure, stable products and services, and to strictly protect the privacy and security of their data.

We welcome and encourage all reports related to product security or user privacy. We will follow established processes to address them and provide timely feedback.

Report Vulnerabilities to CHEF iQ

We strongly encourage organizations and individuals to contact CHEF iQ’s security team to report any potential security issue.

To report a security or privacy vulnerability, please send an email to support@chefiq.com with the product model and software version, and describe the detailed security issue. CHEF iQ will endeavor to respond to the report within 10 working days.

CHEF iQ will need to obtain detailed information about the reported vulnerability to more accurately and quickly begin the verification process.

Responsible Reporting Guidelines

• All parties to a vulnerability disclosure should comply with the laws of their country or region.
• Vulnerability reports should be based on the latest released firmware, and preferably written in English.
• Report vulnerabilities through the dedicated communication channel. CHEF iQ may receive reports from other channels but does not guarantee that the report will be acknowledged.
• Adhere to data protection principles at all times and do not violate the privacy and data security of CHEF iQ users, employees, agents, services, or systems during the vulnerability discovery process.
• Maintain communication and cooperation during the disclosure process and avoid disclosing information about the vulnerability prior to the negotiated disclosure date.
• CHEF iQ is not currently operating a vulnerability bounty program.

How CHEF iQ Deals with Vulnerabilities

Awareness & Receipt

CHEF iQ encourages customers, vendors, independent researchers, and security organizations to proactively report any potential vulnerabilities to the security team. At the same time, CHEF iQ proactively obtains information about vulnerabilities in CHEF iQ products from the community, vulnerability repositories, and various security websites, in order to be aware of vulnerabilities as soon as they are discovered.

CHEF iQ will respond to vulnerability reports as soon as possible, usually within 10 business days.

Verification

CHEF iQ Security will work with the product team to perform a preliminary analysis and validation of the report to determine the validity, severity, and impact of the vulnerability. We may contact you if we need more information about the reported vulnerability.

Remediation

Once the vulnerability has been identified, we will develop and implement a remediation plan to provide a solution for all affected customers.

Remediation typically takes up to 90 days and, in some cases, may take longer.

Notification

You can keep up to date with our progress and the completion of any remediation activities.

CHEF iQ will issue a security advisory when one or more of the following conditions are met:

• The severity of the vulnerability is rated CRITICAL by the CHEF iQ security team and CHEF iQ has completed the vulnerability response process, with sufficient mitigation solutions available to assist customers in eliminating all security risks.
• The vulnerability has been actively exploited and is likely to increase the security risk to CHEF iQ customers, or it is likely to increase public concern about the security of CHEF iQ products. In such cases, CHEF iQ will expedite the release of a security bulletin about the vulnerability, which may or may not include a full firmware patch or emergency fix.

Information on Minimum Security Update Periods

The Support Period for CHEF iQ components is actively maintained considering security updates from January 2022 to January 2027 (current stable version).

*This list is constantly being updated and subject to change without notice.

Models	Versions	Description
CQ60 Series	Version 2.0 & 3.0	Wireless thermometer