Blueair Vulnerability Disclosure Policy


1. Introduction



Blueair is committed to protecting the safety and security of our customers, our users, and our company. If you believe you have identified a security issue or vulnerability in one of our websites, connected devices, or software (“Blueair products”), we thank you for reporting it as quickly as possible. 


When properly notified of legitimate issues, we will do our best to acknowledge your vulnerability report, assign resources to investigate the issue, and fix potential problems as quickly as possible. Whether you are a user of Blueair products, a software developer, or simply a security enthusiast, you are an important part of this process.


2. Reporting a Security Issue or Vulnerability


If you believe you have found a security issue or vulnerability, please submit your findings by sending an email to infosec@blueair.com with the subject line "Security Issue."


Please provide specific product and software version(s) that you believe are affected; a technical description of the behavior that you observed and the behavior that you expected; the steps required to reproduce the issue; and, if applicable, a proof of concept or exploit.


In all cases, you must:


- Respect our privacy. Contact us immediately if you access anyone else’s data, personal or otherwise. This includes usernames, passwords and other credentials. You must not save, store or transmit this information.

- Act in good faith. You should report the vulnerability to us with no conditions attached.

-Work with us. Promptly report any findings to us, stopping after you find the first vulnerability and requesting permission to continue testing. Allow us a reasonable amount of time to resolve the vulnerability before publicly disclosing it.


And you must not:


- Exfiltrate data. Instead use a proof of concept to demonstrate a vulnerability.

- Exploit a vulnerability to disable further security controls.

- Perform social engineering.

- Use automated scanners.


We do not offer financial compensation or any other form of reward for submissions. Also, we will not refund any expenses you may have incurred.


3. Response and Resolution


We are committed to acknowledging the receipt of your report within 3 business days. Our security team will investigate the reported issue promptly and keep you informed of the progress.


Once the issue is verified, we will work on resolving it. We appreciate your patience and cooperation during this process.


4. Legal Protections


This policy is designed to be compatible with good practices among security researchers. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Blueair to be in breach of any of its legal obligations, including but not limited to:


- The Computer Misuse Act 1990

- The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018


To the extent compatible with its legal obligations, Blueair will not take civil action against or seek prosecution of security researchers who report any security vulnerability on a Blueair Product where the researcher has acted in good faith and in accordance with this disclosure policy.


5. Policy Violations


Any attempt to exploit a security vulnerability without following this disclosure process is strictly prohibited, and legal action may be taken.


6. Policy Updates

This policy may be updated from time to time. Check this page regularly for the latest information.


Thank you for helping us maintain the security of our IoT devices/products.