This store requires javascript to be enabled for some features to work correctly.

Vulnerability Disclosure Policy

Published: 2025-10-10 

Last Updated: 2026-01-06 

1. Introduction

At YoSmart Inc., the security of our users and the reliability of our YoLink ecosystem are our top priorities. We understand that despite our best efforts, vulnerabilities may exist in our software and hardware.


We highly value the global security research community. If you believe you have found a security vulnerability in a YoSmart product, service, or web application, we encourage you to inform us as quickly as possible. This policy outlines the steps for reporting vulnerabilities to us, what we expect, and what you can expect in return.

2. Scope

This policy applies to the following assets owned or operated by YoSmart Inc.:


In-Scope:

  • Web Properties: *.yosmart.com
  • Mobile Applications: YoLink App (iOS & Android)
  • Hardware Devices: Current generation YoLink Hubs, Sensors, Controllers, and other smart home devices officially released and supported by YoSmart.
  • Cloud Services: APIs and backend services used by our mobile apps and IoT devices.

Out-of-Scope:

  • Third-party services or integrations not owned or controlled by YoSmart.
  • Volume-based denial of service (DoS/DDoS) attacks or traffic flooding.
  • Social engineering (phishing) of YoSmart employees or customers.
  • Physical attacks against YoSmart offices or data centers.

3. Safe Harbor (Legal Protection)

YoSmart considers good-faith security research to be a valuable contribution. If you conduct your security research in good faith and in accordance with this policy, we commit to the following:

  • We will not pursue legal action against you for good-faith security research conducted in accordance with this policy.
  • We will consider your research to be authorized for the purposes of this policy, provided it is conducted in good faith and in accordance with the Rules of Engagement.
  • If a third party initiates legal action against you for activities conducted under this policy, we will make it known that your actions were authorized by us.

This safe harbor does not apply to actions that are unlawful, malicious, disruptive, or outside the scope of this policy.

4. Rules of Engagement

To protect our users and maintain the integrity of our services, we request that you:

  • Do not access, modify, or delete data that does not belong to you.
  • Do not execute attacks that could degrade the experience of other users (e.g., DoS).
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate their existence.
  • Do not publicly disclose vulnerability details until YoSmart has had a reasonable opportunity to investigate and remediate the issue.
  • Provide us with sufficient information to reproduce the vulnerability.

YoSmart reserves the right to determine whether a reported issue qualifies as a security vulnerability and whether it falls within the scope of this policy.

5. Responsible Disclosure Timeline

We request that vulnerabilities be reported privately and responsibly.

A reasonable remediation period is typically 30–90 days, depending on the severity and complexity of the issue. We kindly ask that public disclosure not occur prior to coordination with YoSmart.

6. How to Report a Vulnerability

Please submit your report via email to: 

📧security@yosmart.com

This email address is the official and preferred channel for vulnerability disclosure to YoSmart.

To help us triage and fix the issue efficiently, your report should include:

  • Description: The nature of the vulnerability and the potential impact.
  • Location: The specific URL, IP address, device model, or code path affected.
  • Proof of Concept (PoC): Steps to reproduce the issue (screenshots, video, or code scripts are highly appreciated).
  • Version Information: Firmware version or app version number, if applicable.
  • Secure Communication: If your report contains sensitive information (e.g., PoC code, user data), we encourage you to encrypt your email using our PGP Key(Get Key) .

7. Our Commitment to You

When you submit a vulnerability report, YoSmart commits to:

  • Acknowledging receipt of the report within three (3) business days
  • Assessing and validating the reported issue
  • Determining the severity and remediation approach
  • Providing reasonable status updates during remediation
  • Notifying the reporter once the issue has been resolved

Recognition

With the reporter’s permission, YoSmart may, at its discretion, acknowledge significant contributions through public recognition (such as a Security Hall of Fame or release notes) or other non-monetary tokens of appreciation.

YoSmart does not currently operate a cash-based bug bounty program.

8. Thank You

We appreciate the efforts of security researchers who help keep YoSmart and our users safe. Responsible disclosure enables us to address issues efficiently while minimizing risk to our customers and the broader ecosystem.


Thank you for your contribution to improving security at YoSmart Inc.