Security, product support and coordinated vulnerability disclosure policy

Last update on: May 28, 2026

This page explains Chipolo’s approach to product security support and where to find product-specific regulatory and compliance information, including applicable support periods and formal compliance documents. It also serves as Chipolo’s coordinated vulnerability disclosure policy.

    Security and product support

    Support-period information for current products and End-of-Life information for legacy products is available at chipolo.net/regulatory.

    For each applicable product, the regulatory page identifies how long users can expect to receive relevant security updates.

    Secure setup and operation

    To help keep your Chipolo products secure:

    • Keep your Android or iOS device updated with the latest available operating system updates.
    • Ensure Bluetooth and any required Chipolo app permissions on your device are enabled so your product can communicate with the app and receive available updates.
    • Install the Chipolo app from the Apple App Store or Google Play and keep it updated to the latest version.
    • Make sure your Chipolo is added to the Chipolo app, as firmware updates are delivered through the app and may require user action, depending on the product.
    • Regularly check the Chipolo app for any available firmware updates and apply them.

    Information on resetting, removing a product from an account, and deleting associated user data is available in Chipolo’s product support and privacy information. 

    Compliance documents

    Product-specific regulatory, safety, and economic-operator information, including applicable warnings and consumer-use information, is available at chipolo.net/regulatory.

    Default passwords

    For products within scope of the UK PSTI regime, Chipolo does not use universal default passwords. Where authentication is required, credentials are unique per product or set by the user.

    Coordinated vulnerability disclosure

    We operate a coordinated vulnerability disclosure process. If you believe you have identified a security vulnerability in a Chipolo product, the Chipolo app, or web services and infrastructure operated by Chipolo, please contact us at security@chipolo.net.

    We review all vulnerability reports in good faith. Our security team will initiate triage and validation of critical reports promptly and without undue delay. For non-critical reports, we aim to provide an initial response within 7 business days. Where required by applicable law, Chipolo will comply with its cybersecurity incident and vulnerability reporting obligations.

    Out of scope

    To ensure we can focus on actionable threats, the following issues are considered out of scope. While we welcome the information, you should not expect a timely response for reports consisting solely of:

    • Missing HTTP security headers or flags (e.g., Strict-Transport-Security, X-Frame-Options) without a demonstrable exploit.
    • Email configuration issues (e.g., missing or weakly configured SPF, DKIM, DMARC).
    • SSL/TLS configuration issues (e.g., weak ciphers) without a demonstrable exploit.
    • Output from automated vulnerability scanners without a demonstrable exploit or a proper example of how the output can be weaponized.
    • Clickjacking on pages with no sensitive actions.
    • Physical attacks, destructive hardware tampering, or techniques requiring specialized laboratory equipment, unless the report demonstrates a practical cybersecurity impact under reasonably foreseeable use or misuse.
    • Vulnerabilities residing in third-party platforms, underlying operating systems (iOS/Android), or partner finder networks, including Apple Find My and Google Find Hub.

    Additionally, reports concerning the misuse of an otherwise functioning device, without an identified cybersecurity vulnerability (for example, unwanted tracking), are outside the scope of this vulnerability disclosure process. If you believe you are at immediate risk or may be the victim of unlawful conduct, contact local law enforcement or appropriate safety-support services.

    What to include in a report

    To help us validate and address a reported vulnerability efficiently, please include as much relevant detail as possible, such as the affected Chipolo product, app, service, firmware or software version, the steps required to reproduce the issue, the potential security impact, and any proof-of-concept, logs, screenshots, or videos that can be shared safely. Please also tell us whether the vulnerability appears to be publicly known or actively exploited, and include a reliable way for us to contact you for follow-up questions.

    Security advisories and user notification

    When Chipolo resolves a vulnerability that may affect users, we will provide appropriate information and remediation guidance through suitable communication channels, which may include product support pages, security advisories, app notifications, firmware or software update notes, or direct communication where appropriate. Public information may include the affected product or service, a description of the impact, severity where applicable, available mitigations or updates, and recommended user actions, unless delayed disclosure is necessary to reduce security risk.

    Privacy and data processing

    When you submit a vulnerability report to security@chipolo.net, Chipolo d.o.o. collects limited personal data (such as your name or alias, email address, and communication history) strictly for the purposes of triaging the report, communicating with you regarding the vulnerability, and fulfilling our regulatory obligations.

    We process this data under the lawful basis of legitimate interest and legal obligation. Your personal data will be stored securely, accessed only by authorized internal personnel, and retained only for as long as necessary to mitigate the vulnerability and meet regulatory reporting timelines.

    We may disclose information contained in a report where required by law, including to competent authorities, while limiting any personal data shared to what is necessary.

    For more information on how we handle personal data, or to exercise your rights to access, rectify, or erase your data, please refer to our full Privacy policy at chipolo.net/privacy.

    Safe harbor

    We consider security research and vulnerability disclosures to be authorized as long as they are conducted in good faith and in accordance with these disclosure guidelines.

    To remain protected under this Safe Harbor, you must:

    • Keep all vulnerability details strictly confidential and not expose any user, financial, or proprietary data to the public. Any public disclosures after a mitigation or a fix has been made should be coordinated with us.
    • Avoid privacy violations, destruction of data, and interruption or degradation of our services (e.g., no Denial of Service attacks).
    • Avoid social engineering, phishing, or physical attacks against Chipolo employees, offices, or our supply chain.

    If you follow these guidelines and act in good faith, Chipolo does not intend to pursue legal action against you for your research. Please note that this legal protection applies only to systems under Chipolo's direct control and cannot extend to third-party networks or platforms, such as Apple Find My or Google Find Hub.