Product security

 

Eve products are built on top of the Matter and HomeKit standards which were created with security and privacy as key design tenets.

 

More info about Matter
https://csa-iot.org/all-solutions/matter/

 

More information about security for the Matter standard
https://csa-iot.org/resources/security/

 

Technical Matter Security Whitepaper
https://csa-iot.org/wp-content/uploads/2022/03/Matter_Security_and_Privacy_WP_March-2022.pdf

 

Reporting a vulnerability to CSA (Matter standard)
https://csa-iot.org/vulnerability-reporting/

 

Reporting a vulnerability to Eve
[email protected]


Declaration of conformity and MSDS
 

Readiness for Market Surveillance by EU Authorities: 

  • Technical documentation (e.g., test reports, compliance certificates) readily available on www.evehome.com/doc
  • EU-based responsible person: Eve Systems GmbH, Rotkreuzplatz 1, 80634 München, Deutschland, www.evehome.com 


Documentation and Information: 

  • Product identification on the product and packaging (serial number, product number, model number) 
  • Manufacturer name and contact information on the product, on packaging & in the accompanying printed "Important Safety Instructions"document. 
  • Safety information in the official language(s) of each EU country where the product is sold can be found in the accompanying printed "Important Safety Instructions" document. This includes information about the Wi-Fi, Thread, or Bluetooth radios’ compliance to the Radio Equipment Directive (RED) and a link to the Declaration of Conformity document

 

 

Security Content

 

If you believe that you've discovered a security or privacy vulnerability that affects Eve devices, software, or services, please report it directly to us at [email protected] . Reports should include specific product and software version(s) that you believe are affected; a technical description of the behavior that you observed and the behavior that you expected; the steps required to reproduce the issue; and a proof of concept or exploit.

 

We welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible.

 

The Eve security team will use reasonable efforts to respond in a timely manner, acknowledging receipt of the vulnerability report, provide an estimated time frame for addressing the vulnerability report and notify the reporter when the vulnerability has been fixed.

 

 

Responses

Time to Resolution: dependent on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

 

 

Eligible Vulnerabilities

We encourage disclosure of any security vulnerabilities that have the potential to impact the security or privacy of our customers.  When submitting a vulnerability report, please provide concise steps to reproduce that are easily understood.

 

 

Disclosure

For the protection of our customers, Eve Systems doesn't disclose or discuss security issues until our investigation is complete and any necessary updates are generally available.

 

 

Rewards

This program does not provide monetary rewards for bug submissions.

 

 

Protected Disclosure

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

 

 

Terms and Conditions

  • Do not attempt to gain access to another user’s account or confidential information.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Please do not test for spam, social engineering, or denial of service issues.
  • Please do not engage in any activity that can potentially or actually cause harm to Eve Systems, our customers, or our employees.
  • Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.
  • Do not store, share, compromise, or destroy Eve Systems or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Eve Systems.