Narwal Vulnerability Management Policy

1. Introduction

The Information Security Team of Yunjing Intelligence Innovation (Shenzhen) Co., Ltd. (hereinafter referred to as "Narwal") remains committed to the security of Narwal products. We aspire to create a secure, steady, and reliable experience for customers when using our products and services.

We sincerely welcome you to assess the security of Narwal products and help us make our product more secure. If you discover potential vulnerabilities or other security issues in Narwal products, we would appreciate you reporting them to us promptly. Your participation is essential to user data privacy and security. We will carefully handle your feedback, respond positively to all reports, and communicate with you timely during vulnerability management. We will assess, identify, and fix vulnerabilities as soon as possible to ensure that they are properly addressed to make our products and services more secure.

This policy outlines the steps you can take to report vulnerabilities to us and clarifies Narwal's vulnerability management by the principle of good faith.

2. Definition

The vulnerability definition is in line with ISO/IEC 29147 (Information Technology Security Techniques Vulnerability Disclosure) and ISO/IEC 30111 (Information Technology Security Techniques Vulnerability Handling Processes).

3. Vulnerability reporting channels

You can use the report template to submit suspected vulnerabilities in Narwal products via email to Security@global.narwal.com. The Narwal Information Security Team will timely deal with any suspected vulnerabilities you report. Before reporting vulnerabilities, please use the PGP key (file fingerprint: 96D3 F592 9DF9 039F 1A60 85E4 B9DB 9B70 2011 C655) to encrypt the information. You can download the file here:

4. Vulnerability handling process

The Narwal Information Security Team is committed to improving the security of Narwal products and supporting the safe operation of customer networks and businesses. With a focus on product security development and vulnerability management and maintenance, the Narwal Information Security Team handles reported potential vulnerabilities in a well-established process that is in line with ISO/IEC 29147, ISO/IEC 30111, and other relevant standards. The process aims to enhance product security and ensure timely response to any vulnerabilities found.

5. Scope of products and services

This policy applies to Narwal's smart robot vacuum & mop combo and smart wet dry vacuum.

In addition, we welcome you to report vulnerabilities in Narwal's web pages, applets, App, and cloud services. Products and services beyond the life cycle are not covered.

6. Our Commitment

According to this policy, when working with us, we will:

Initially acknowledge your vulnerability report within 3 business days of receiving it and provide a tracking number.

Send a vulnerability receipt confirmation message within 30 days of the initial confirmation and provide a remediation deadline. If we do not accept the report, we will provide a reason and will continue to receive new information about the report.

After confirming the reported vulnerability, our engineers will fix the vulnerability and implement optimization.

If a vulnerability cannot be resolved within 90 days, we will extend the confidentiality period of working with you or provide other solutions.

7. Our Expectations

We expect that you can:

Observe the rules in this Policy and any other relevant agreements. In case of any inconsistency between this policy and any other applicable clauses and terms, this policy shall prevail.

Immediately report any vulnerabilities you discover.

Make every effort to avoid issues that violate user privacy, impact the user experience, and cause disruptions to production systems and data corruption during security tests.

8. Disclaimer

We may update this Vulnerability Management Policy from time to time, so please review this policy before submitting a vulnerability report. When we publish changes to this policy, we will revise the "Update Date" at the bottom of this policy.

Update Date: August 8, 2023