Midea is committed to enhancing the safety of its products and fully supports the secure operation of its customer networks and businesses. The company places great importance on vulnerability management in product development and maintenance, and follows ISO/IEC 30111, ISO/IEC 29147 and other standards to establish a complete vulnerability handling process to enhance product safety and ensure timely response when vulnerabilities are discovered.
If you believe that you have discovered a security or privacy vulnerability in the products of Midea. You can fill out the template and send the security issue directly to: iotsecurity@midea.com.
We will respond to our customers as soon as possible to acknowledge receipt of vulnerability information. Our enterprise audit specialist will conduct a preliminary review of the vulnerability within 3 working days (the review speed may slow down during statutory holidays or when there is a surge of vulnerabilities, but it will be completed within 5 working days), to confirm the validity and scope of the suspected vulnerability.
The security team of Midea will analyze and verify vulnerabilities together with the product team, evaluate the severity level of the vulnerabilities based on their actual impact on the product, determine the priority of patches, and develop vulnerability remediation plans (including mitigation measures, patches/versions, and other risk reduction plans that customers can execute). We will regularly update the vulnerability reporter on the progress of vulnerability fixes, and based on the principles of minimizing harm and reducing risk, we will release vulnerability information to stakeholders to support customers in assessing the actual risk of vulnerabilities to their networks.
Vulnerability Closure and Announcement
The enterprise confirms the vulnerability fix and closes the vulnerability. After the vulnerability lifecycle ends, relevant information and repair methods will be announced in the “Security Bulletins”. And we will send an email to the user who submitted the vulnerability to inform them that the vulnerability they submitted has been fixed.
Throughout the vulnerability handling process, the emergency response team of Midea will strictly control the scope of vulnerability information and only pass it on among relevant personnel handling the vulnerability. At the same time, we also request that reporters keep the vulnerability information confidential until our customers obtain a complete solution. The company will take necessary and reasonable measures to protect the data obtained in accordance with legal and compliance requirements. Unless specifically requested by affected customers or required by law, the above data will not be shared or disclosed to other parties proactively.
Based on the comprehensive score of the Security Severity Rating (SSR) vulnerability severity level assessment, Midea classifies vulnerabilities into five levels: Critical, High, Medium, Low, and Informational.
Due to the diversity of integration methods and scenarios of third-party software/components in Midea products, the company will adjust the vulnerability rating of third-party software/components according to the specific scenarios of the product to reflect the true impact of the vulnerability. For example, if an affected module of a certain third-party software or component is not in use, the associated vulnerability would be considered 'unexploitable and unaffected'.If the existing evaluation system cannot cover the dimensions of evaluation, Midea is responsible for explaining the evaluation results.
If the following three criteria are met at the same time, Midea will identify the vulnerability as "High Profile":
For "High Profile" third-party vulnerabilities, Midea will check all product versions, and after confirming the vulnerability as "High Profile", it will release SN (Security Notice) within 24 hours to notify relevant customers of Midea's handling of the vulnerability. When there is a vulnerability patch solution, Midea will provide risk decision-making and mitigation support for affected customers through SA (Security Announcement). For third-party vulnerabilities that are not classified as "High Profile", the company will explain them in the version/patch instructions.
There are two ways in which Midea discloses security vulnerabilities in its products:
When one or more of the following conditions are met, Midea will release an SN or SA to provide customers with real-time risk decision support:
Please update your applications and devices in a timely manner, as this is one of the most important measures to maintain the security of Midea products. Obtain the latest software updates from the official website:
For specific product/software version vulnerability fixes, please refer to the announcement: jump to the security notice page.
The following definitions are used in this strategy:
Name |
Definition |
ISO/IEC 29147 |
The disclosure of potential vulnerabilities guidelines developed by the International Organization for Standardization |
ISO/IEC 30111 |
Vulnerability management process developed by the International Organization for Standardization (ISO) |
CVSS |
Common Vulnerability Scoring System |
SSR |
Security Severity Rating |
online risk |
There are various security threats and risks on the Internet, including but not limited to cyber attacks, data breaches, phishing, malware, identity theft, etc. These risks may result in adverse consequences such as economic losses, reputational damage, and information leakage for individuals, businesses, organizations, etc. In order to reduce the risks on the Internet, people need to take a series of measures, such as using strong passwords, regularly updating software, installing anti-virus software, and not easily disclosing personal information. |