Vulnerability Disclosure Policy
Küche will provide security update support to our devices up to 31st March 2026, and extended support may be provided after the stated date. Küche is committed to ensuring the security of our products and we welcome feedback from security researches in order to improve the security of our products. This policy is intended to give security researchers a clear guideline for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. Please review this policy before attempting to test or report a vulnerability.
Guidelines
We required that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Perform research only within the scope set out below.
- Use only identified communication channels for vulnerability reporting as stated in this policy.
- Keep information about any vulnerabilities that you discovered confidential between yourself and Küche until disclosure is approved by Küche.
- Remain communicative and cooperative as we work together through this process.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research related to a vulnerability.
- Work with you to understand and resolve the issues associated with the vulnerability.
- Küche recognize your contribution if you are the first person to report the vulnerability and we make a product modification or configuration change based on the reported vulnerability.
Test Methods
All researchers are to take into account the respect for the law. Vulnerability scanning could not serve as a pretext for attacking a system or any other target and reporting a vulnerability does not imply being exempt from compliance.
Several actions must be avoided. For example:
- Using social engineering
- Compromising the system and persistently maintaining access to it
- Changing the data accessed by exploiting the vulnerability.
- Using malware
- Using the vulnerability in any way beyond proving its existence. To demonstrate that the vulnerability exists, the reporter could use non-intrusive methods. For example, listing a system directory.
- Using brute force to gain access to systems
- Sharing vulnerability with third parties
- Performing DoS or DDoS attacks
Reporting a vulnerability
If you believe you’ve found a security vulnerability in one of our products or platforms, please send the Finding report to us by emailing to life@cityenergy.com.sg
Please include the following details in your report with regards to the below specific templates.
Hardware:
Product name & hardware model/revision/serial number
Expected correct usage
Actual usage after vulnerability exploit
Steps to reproduce the vulnerability
Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
Configurations of hardware (connections, software, debug connections, etc.)
Example exploit source code (if any)
Finder(s) contact information
Firmware:
Product name & firmware version
Expected correct usage
Actual usage after vulnerability exploit
Steps to reproduce the vulnerability
Risk assessment (impact level finder sees the vulnerability as – High/Med/Low)
System & Hardware configurations (MAC address, etc.)
Example exploit source code (if any)
Finder(s) contact information
Cloud:
Country the finder is from
Time and date of discovery (if known)
Username/email involved in producing the vulnerability
User inputs required to reproduce the vulnerability
Expected correct usage
Actual usage after vulnerability exploit
Steps to reproduce the vulnerability
Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
System configurations (if relevant to vulnerability)
Example exploit source code (if any)
Finder(s) contact information
Application (Android/iOS/Web):
APP name & version
Host Operating System (OS) & OS version
Expected correct usage
Actual usage after vulnerability exploit
Steps to reproduce the vulnerability
Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
System configurations (if relevant to vulnerability)
Example exploit source code (if any)
Finder(s) contact information
Our Actions
Upon receiving your report, we will:
- Acknowledge your report within seven working days
- Request for additional information that may be required for us to investigate
- Seek your cooperation to confirm the existence of the vulnerability
- Inform you the estimated time we need to resolve the vulnerability and provide a patch to the product(s) involved. Our goal is to fix it within ninety days upon confirmation
- Provide regular status updates based on our severity classification after doing impact analysis, until the resolution of the reported issues
- For urgent and critical cases, daily updates will be provided
- For other cases, weekly updates will be provided
- Notify you when the fix is complete
- In appropriate cases, release information of the issue to our consumers or public for awareness and what they can do
- Conduct an internal review on the shortcomings and improve our processes and products