Incident Response
We place great importance on security and encourage security researchers to responsibly disclose any potential vulnerabilities. Your reports help us enhance the security and resilience of our products and services.
Vulnerability Response and Disclosure Process
Recipient
Monitor and assign received vulnerability reports in a timely manner.
Verification
Verify the reported vulnerability and confirm its exploitability and potential impact.
Solution Development
Provide effective fixes or appropriate risk remediation measures.
Affected Scope Confirmation
Investigate and confirm the full scope of affected products.
Release SA
Review and publish the security advisory for the identified vulnerability.
Reporting Vulnerabilities
You can report vulnerabilities via email or via contact form.
The detailed reporting methods are as follows:
Email Reporting
Send vulnerability reports to: vulnerabities@balcobrands.com
The email should include at a minimum:
- Your organization and contact information
- The affected products and their versions
- A detailed description of the potential vulnerability
- Information on any known exploits
- Your planned disclosure timeline
- Any additional relevant information
Contact Form
The form below can be used to submit a potential vulnerability.
Please note all fields are mandatory.
Platform Announcements
In future we will list any announcements regarding potential vulnerabilities or investigations here.
Safe Harbor and Responsible Disclosure
- Unauthorized modification, deletion, or destruction of data
- Disruption or degradation of services, including Denial of Service (DoS) attacks
- Disclosure of personal, proprietary, or financial information
By following responsible disclosure practices, researchers can help us improve security while minimizing risk to our users and systems.
Response Time
Upon receiving a reported vulnerability, we will provide a response within 5 working days, depending on the reporting platform used:
- Vulnerabilities reported via the Balco Security Centre:
We will send a vulnerability response notification, confirm the submitted information, and provide feedback related to the reported vulnerability via email. Progress updates on the vulnerability remediation will also be provided continuously via email as soon as possible. - Vulnerabilities reported via email:
We will send a vulnerability response notification, confirm the submitted information, and provide feedback related to the reported vulnerability via email. Progress updates on the vulnerability remediation will also be provided continuously via email as soon as possible.
Note: Actual response times may vary depending on the severity, risk level, and complexity of the reported vulnerability.
Vulnerability Disclosure Instructions
Balco discloses security vulnerabilities in its products in two ways:
- Security Advisory (SA): When the vulnerability has been confirmed, we will disclose detailed information about the vulnerability and the corresponding fix within 180 days of completing the vulnerability analysis and developing a fix plan through a SA.
- Security Notice (SN): When a potential vulnerability is discovered or reported externally, but has not yet been confirmed, we disclose the basic information of the vulnerability and our investigation progress through an SN.
The vulnerability information shall be kept confidential until Balco releases the Security Advisory or Security Notice to the public.
Balco discloses security vulnerability information via Platform Announcements above.
Note: Actual vulnerability disclosure times may be adjusted based on the publisher’s disclosure plan, the vulnerability remediation development plan, potential negative impacts of the solution, and the disclosure plans of other service providers.
Support Duration List
| Model | Product Name | Support Period | End of Support Date |
| CE220799-F | Fitness Tracker | 3 Years | 23 May 2029 |