As a leading provider of smart home products such as HomeKit and Matter integrated devices, Meross takes security issues very seriously and is committed to ensuring the security of our users by protecting their data security and personal information. We welcome security researchers to contribute to the security of our products. We will do our utmost to provide our users with secure, stable products and services. This policy is intended to give security researchers clear guidelines for conducting security advisory activities and to convey our preferences in how to submit security advisories to us.

This policy describes what products, services, and types of research are covered under this policy, how to send us security advisories, and how long we ask security researchers to wait before publicly disclosing vulnerabilities discovered.

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems.
• Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.
• Do not intentionally compromise the privacy or safety of Meross personnel (e.g. civilian employees), or any third parties.
• Do not intentionally compromise the intellectual property or other commercial or financial interests of any Meross personnel or entities, or any third parties.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

This policy applies to the following products and services:

• Internet-connectable smart products developed and manufactured by Meross.
• Network-connectable smart products developed and manufactured by Meross.
• Meross app for both Android and iOS developed and released by Meross.
• Cloud services developed and offered by Meross.
• *.meross.com

Any service not expressly listed above, such as any connected services, third-party services, and unauthorized modified services are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in services or systems from our vendors or third-party partners fall outside of this policy’s scope and should be reported directly to the vendor or third-party partner according to their Disclosure Policy (if any). If you aren’t sure whether a product or service is in scope or not, contact us at security@meross.com before starting your research.

Though we develop and maintain other internet-accessible products or services, we ask that active research and testing only be conducted on the products and services covered by the scope of this document. If there is a particular product or service not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

Security researchers must not:

• Test any system other than the systems set forth in the 'Scope' section above.
• Disclose vulnerability information except as set forth in the 'Reporting a Vulnerability' and 'Disclosure' sections below.
• Engage in physical testing of facilities or resources.
• Engage in social engineering.
• Send unsolicited electronic mail to Meross users, including "phishing" messages.
• Execute or attempt to execute "Denial of Service" or "Resource Exhaustion" attacks.
• Introduce malicious software.
• Test in a manner which could degrade the operation of Meross systems or services; or intentionally impair, disrupt, or disable Meross systems or services.
• Test third-party applications, websites, or services that integrate with or link to or from Meross systems or services.
• Delete, alter, share, retain, or destroy Meross data, or render Meross data inaccessible.
• Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Meross systems or services, or "pivot" to other Meross systems or services.
• Access unnecessary, excessive or significant amounts of data.
• Break any applicable law or regulations.
• Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with "best practice," for example missing security headers.
• Demand financial compensation in order to disclose any vulnerabilities.

Security researchers must:

• Cease testing and notify us immediately upon discovery of a vulnerability.
• Cease testing and notify us immediately upon discovery of an exposure of nonpublic data.
• Purge any stored Meross nonpublic data upon reporting a vulnerability.
• Always comply with data protection rules and must not violate the privacy of any data the Organization holds. For example, do not share, redistribute or fail to properly secure data retrieved from the systems or services.
• Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Security researchers should:

• Comply with local regulations when conducting security research and reporting vulnerabilities.
• Ensure that security research is based on the latest firmware and app version, and not based on any third-party or unofficial services.
• Only report vulnerabilities through the dedicated channel provided below to ensure that any vulnerability will only be processed by the authorized team. Meross may receive reports from other channels but does not guarantee that the report will be acknowledged.
• Write the report with all related details in English.
• Use the report template from Meross so that we can obtain detailed information about the reported vulnerability to more accurately and quickly initiate the verification process.
• Be fully aware that Meross has no vulnerability bounty program, which means that reporters will not receive payment for submitting vulnerabilities and that by submitting, reporters waive any claims to compensation.

In order to help us triage and prioritize submissions, we recommend reporting vulnerabilities with the information below:

Where reports should be sent

We accept vulnerability reports at security@meross.com . Reports may be submitted anonymously at Security Advisory. We do not support PGP-encrypted emails at this time. For particularly sensitive information, submit through our HTTPS web form.

What information should be sent

In order to better process your reports, we strongly recommend submitting a vulnerability report according to the template we provide (hyperlink to template download address).

Typically, we will need the information listed below:

• Product name and model number with hardware and software version (if any).
• Meross app version (if any).
• Brief description of the vulnerability with potential impact.
• Reproduction steps (proof of concept scripts or screenshots are helpful).
• Repairing suggestions (if any).
• Contact information for further communication (if you choose to share with us).

By clicking "Submit Report," you are indicating that you have read, understand, and agree to the contents described in this policy for the conduct of security research and disclosure of vulnerabilities related to Meross, and consent to having the contents of the communication and follow-up communications stored and processed by Meross.

If you share contact information with us when you submit the report, we will acknowledge receipt of your report within the time committed in the steps below. If you submit the report anonymously, we would not be able to reply to you.

The response procedure will be:

Step 1: Meross receives your report and acknowledges receipt of your report within 7 business days.

Step 2: Meross investigates and verifies the validity of the vulnerability within 15 business days from acknowledgement of receipt of your report. We may contact you if we need more information about the reported vulnerability.

Step 3: Once the vulnerability has been identified, we will develop and implement a remediation plan to provide a solution for all affected products and services.

For critical risk vulnerabilities: Remediation typically takes up to 30 calendar days from verification of the vulnerability and in some cases may take longer.

For high risk vulnerabilities: Remediation typically takes up to 60 calendar days from verification of the vulnerability and in some cases may take longer.

Step 4: Meross releases an OTA (over the air) update to all affected products or services.

Step 5: Meross monitors the stability of the updated products or services.

You can keep up to date with our progress and the completion of any remediation activities.