AVS Security Agreement

Alexa Voice Service (AVS) Security Agreement

Universal Electronics Inc. follows advanced best practice security and privacy features for our products and services, as well as for managing security events. UEI operates under a security policy, which guides our incident management and risk assessment activities relating to potential security and potential privacy vulnerabilities identified in our products and services.

  • In order to prevent unauthorized access or disclosure, UEI has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information collected online and transfer to third parties. UEI monitors all systems continuously.
  • UEI will release software updates for vulnerabilities in OS or OSS components within a reasonable time window approved by Amazon. By default, this is 3 months for fixes for critical and high severity vulnerabilities and 6 months for fixes for medium severity vulnerabilities as defined by NIST CVSSv2. Fixes for low severity vulnerabilities will be bundled with existing updates where feasible and appropriate.
  • UEI will release software updates as soon as commercially possible for vulnerabilities under active exploitation or with a high degree of public attention. By default this will be treated as critical or high severity issue and will be fixed within 3 months.
  • UEI will push device firmware updates via Over-The-Air (OTA) mechanism, which means that there’s no need to connect the device to another one to install those updates. These OTA updates will be automatic updates and will follow standard OTA standards. For a device to receive an OTA update, the device will have to be plugged in and securely connected to the internet.
        • OTA update will be delivered to any connected product following an internal review and approval process.
        • Typical new firmware update includes rolling out new features that are a part of the product roadmap previously agreed upon, and/or performance enhancements, and/or any security patches.
        • Release cycle via OTA will generally be on a quarterly basis. This estimate includes the development efforts and the internal review and approval process. There may be flexibility to accommodate special releases to address higher severity vulnerabilities.
  • UEI will monitor third party software (including open source software) used by the device for publicly disclosed vulnerabilities.
  • UEI will release security patches for a minimum time period approved by Amazon. By default, this is 5 years from the date of a public release for a device.
  • If a security incident arises, then UEI will notify Amazon (via avs-security@amazon.com) within 24 hours of any security incident that affects the device or service associated with the device
        • There will be a dedicated resource within UEI to review and manage incidents as they come in.
        • UEI will submit a documented plan to Amazon within 1 week of the incident.
        • UEI will update progress on resolution of the incident, including but not limited to root cause analysis and potential fix target date with Amazon via avs-security@amazon.com
        • Once a fix or resolution is available and (if applicable) approved by Amazon[DL1] , the fix will be rolled out via OTA.
  • A security incident could be categorized as:
      1. An external researcher reports a valid vulnerability in the device.
      2. A vulnerability is being actively exploited on customer devices.
      3. A cloud service that the device depends upon discloses customer confidential information, allows for modification of customer’s device configuration, or affects device performance.
      4. We discover a vulnerability that warrants a software or hardware fix.