Vulnerability Declaration Affecting Enki Home

🔐 Reporting a security vulnerability

At Enki Home, the security of our users and their data is a top priority. If you have identified a vulnerability or security flaw in our mobile application or our systems, we invite you to inform us in the following way:


🛡️  Vulnerability Disclosure Policy 

1. Scope of our policy

This policy applies to any vulnerability you may discover on our systems or products.

🔍 In-scope assets:

  • Our range of connected IoT products (plugs, bulbs, cameras, etc.)

  • Our official mobile applications (iOS and Android)

  • Our cloud platform and associated publicly accessible APIs

🚫 Out-of-scope vulnerabilities:
To focus our efforts on the most critical threats, we do not accept reports concerning:

  • Denial of Service (DoS/DDoS) attacks

  • Results of automated scans without concrete proof of exploitability

2. Rules of Engagement and "Safe Harbor"

We commit not to take legal action against anyone reporting a vulnerability in good faith, provided that the following rules are respected:

  • You are acting with the aim of improving security, with no intention of harming our company or our users

  • You do not view, modify, or delete any data that does not belong to you

  • You grant us a reasonable amount of time to fix the flaw before any public disclosure (coordinated disclosure principle)

  • You do not perform any action that could degrade the performance of our services (e.g., DoS attacks)


📧 How to report a vulnerability

Our commitment to handling vulnerabilities

Enki is committed to handling reported vulnerabilities transparently and diligently. We have defined four criticality levels based on the Common Vulnerability Scoring System (CVSS) or an equivalent internal assessment.

Criticality Level Description (Examples) Acknowledgment and first assessment Resolution target
Critical Allows remote takeover of the product, massive leak of personal data. 2 business days 15 days
High Allows bypassing important security mechanisms, accessing sensitive data. 3 business days 30 days
Medium Allows service degradation, limited leak of non-sensitive data. 5 business days 90 days
Low Security flaws with minor impact or difficult to exploit. 10 business days Next major update

Please send an email to the following address:
📬 security@enki-home.com

In your message, please include as much information as possible to help us understand and reproduce the issue. Your contact information will be processed in accordance with GDPR. We thank you for using the template below to structure your report.

Hello,

I would like to report a security vulnerability concerning one of your products. Here are the necessary details to identify and reproduce the issue:

1. Information about the affected component
- Object reference: [Insert product or component reference, e.g., "Model XYZ-2023", "Firmware v1.2.3"]
- Type of box/Object: [Specify the model of the box or the environment concerned, e.g., "Connect Box", "VLINK Bulb"]
- Software/firmware version: [Indicate the exact version, e.g., "Firmware 2.0.1", "Mobile app v2.5.1"]

2. Description of the vulnerability
- Type of flaw: [For example: "SQL Injection", "Buffer Overflow", "Weak Authentication"]
- Detailed description: [Precisely describe the vulnerability, its mechanism, and the conditions required to exploit it]
- Proof of concept (PoC): [If possible, provide steps to reproduce the flaw or an example of code]

3. Potential impact
- Possible consequences: [For example: "Unauthorized access to user data", "Remote code execution", "Denial of service"]

4. Contact information (optional but recommended)
- Name or Pseudonym: [For our thanks]
- Contact: [Your email]

5. Additional information
- Date of discovery: [DD/MM/YYYY]
- Other relevant details: [For example: "The flaw has been tested on several similar devices"]

📬 Response and follow-up

After receiving your report, here is how we proceed:

  1. Acknowledgment of your email based on the criticality (see table).

  2. Assessment of the vulnerability according to the criteria above.

  3. Contacting you for further clarification if necessary.

  4. Correction prioritized according to the criticality level.

  5. Notification as soon as the vulnerability is resolved (whenever possible).


🙏 Thank you for your vigilance

Your contribution to the security of our platform is valuable. We thank everyone who helps us maintain a high level of security for all our users.


Related articles

Submit a request