Product
Vulnerability Disclosure Policy
We see security as the lifeline of our products and take user privacy and data protection seriously. Whether you are a TerraMow security product user, a third-party developer, or an independent security researcher, your findings are vital to improving our products and protecting users. We welcome and appreciate your collaboration in disclosing security issues.
1. Who can report
Anyone who discovers a potential security issue in TerraMow products or services.
2. How to report
If you discover a security vulnerability in a TerraMow product or experience a security incident, please send the relevant information to support@terramow.com.
3. What to include in your report (recommended)
Affected product/firmware/software version and device model
Detailed steps, reproduction method, and environment information
Impact and risk assessment (if available)
Optional: PoC (proof of concept), logs, screenshots, or screen recordings
Whether you prefer to remain anonymous or be credited upon public disclosure.
4. How we handle reports (aligned with ISO/IEC 30111 and CVSS 3.1)
4.1 Acknowledgment: We will confirm receipt within 1 business day and conduct an initial assessment.
4.2 Request for details: If needed, we will contact you for additional confidential information to help reproduce and verify the issue.
4.3 Verification and evaluation: We will reproduce, verify, and score the vulnerability using CVSS 3.1.
4.4 Fix and validation: For confirmed issues, we will develop and implement patches or mitigations and verify fixes across relevant product lines.
4.5 Release updates: We will deliver updates or patches to affected devices via official channels such as OTA(over-the-air).
4.6 Monitor and follow up: After release, we will monitor stability and security effectiveness and continue optimizing if necessary.
5. Target timelines
-Report acknowledgment: within 1 business day.
-Initial assessment: within 3 business days, with a preliminary response plan
Target fix timelines:
-Critical: fix within 3 business days
-High/Medium: fix within 30 business days or implement actionable mitigations
-Low: fix within 180 business days or take appropriate measures.
Note: Some issues may be constrained by hardware, deployment environment, or third-party dependencies. Final timelines will be determined by actual conditions. We will keep you informed throughout the process.
6. Confidentiality and coordinated disclosure
We will protect reporter information and vulnerability details from public disclosure until fixes are in place and coordination is complete.
We welcome coordination on public disclosure timing. If you wish, we can credit you in the disclosure (or keep you anonymous upon request).
7. Additional notes
We encourage responsible disclosure: please avoid publishing details before coordinating with us to prevent risk to users.
We appreciate the professional contributions of individuals and teams who help us improve security. Rewards or collaboration options can be discussed in follow-up communication.
Thank you for helping TerraMow protect user security. We take every report seriously—your findings and support drive our continuous improvement.