security response policy

niolabs is committed to providing timely security updates for our products which customers trust for critical IoT operations. This document outlines the steps that will be taken upon the discovery of a security vulnerability within the nio Platform.

Critical Vulnerability

A critical vulnerability is defined as an exploitation that can be implemented by an unauthenticated attacker outside of the nio Platform. This exploitation can break a device or compromise the confidentiality, integrity, and availability of instance data without user interaction. This class of exploitation could be used to affect an entire system.

Reporting

Security vulnerabilities can be reported either internally or through reports from our customers. Through internal security audits, niolabs is always prioritizing the discovery and resolution of security vulnerabilities within our product. Customers can report security vulnerabilities by sending an email to engineering@niolabs.com. niolabs will provide continued updates to the reporter of an issue as it is being resolved. When possible, niolabs will also provide reporting customers with steps that can be taken to prevent exploitation after an initial analysis of the issue.

Notification

In the event that a reported security vulnerability is classified as critical, niolabs will notify affected users through email. The owner of each niolabs organization will be notified with appropriate recommended steps to prevent exploitation to a security vulnerability. Additionally, in the case of a reported critical vulnerability, a post will be made on the niolabs forum: https://forum.n.io with information about the security vulnerability and steps that can be taken to prevent exploitation.

Resolution

niolabs will always prioritize the resolution of a discovered security vulnerability within our internal product development. In our commitment to security updates, an update on a resolution will be provided no less often than every 30 days upon discovery. Per the niolabs notification policy, those affected by a vulnerability being resolved will be notified through email and a public forum post will be made upon the time of a product release or during a 30 day notification period.