Our Security Commitment

At TP-Link, security is a core pillar of our product strategy and corporate ethos. Over many years, we have developed and refined a comprehensive security framework designed to anticipate, identify, and address risks swiftly and effectively.

Commitment to Secure Products and Secure Data

Security is embedded into TP-Link’s product development lifecycle. From product planning to release and beyond, our product teams are constantly integrating security measures into product functionality and user experiences.  Our investment in security includes an internal penetration testing team, composed of experienced professionals skilled in IoT and embedded systems security, which conducts continuous threat modeling and real-world simulation attacks. We also work with accredited third-party security labs to scrutinize our products and help identify, prioritize, and promptly address potential vulnerabilities before they affect our customers. We act promptly and appropriately when our security teams or outside researchers identify issues, including by designing and issuing security patches. 

Our security commitment equally focuses on protecting user data. We store user data on secure cloud infrastructure protected with industry-recognized security protocols. A U.S.-based information security team oversees core data security functions across TP-Link, and a U.S.-based cloud operations team monitors the security and integrity of U.S. customer data on the cloud.  

Data-Driven Evidence of Our Security Posture

A comparison of publicly available data places TP-Link’s security record on par with or ahead of other major industry players in terms of security outcomes.

TP-Link’s average weighted CVSS score—an industry-standard metric for vulnerability severity—is in line with that of other leading manufacturers, per 2024 data from individual vendor pages on CVEdetails.com. ¹ The average weighted scores for TP-Link and other leading manufacturers are listed in the below chart:

Our product lines have among the lowest total counts of known exploited vulnerabilities (KEVs) among our industry peers, as shown in Figure 1 below: 
Figure 1: CISA KEV inclusions by vendor (current September 30, 2025)

Commitment to Secure by Design and Industry Standards

TP-Link strongly supports government-led cybersecurity initiatives and the development of industry standards. We participate in the “Secure by Design” pledge sponsored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and support the EU’s proposed Cyber Resilience Act (CRA). Since 2022, more than 200 TP-Link products have received security certifications recognized by nations including Finland, Germany, and South Korea.  TP-Link strongly supports the development of similar product security standards in the United States, and believes that such standards will raise the security baseline for everyone.

Commitment to Transparency 

We are continually working toward greater supply chain transparency, including generation and distribution of Software Bills of Materials (SBOMs), to provide clearer insight into our product inputs. In the meantime, we offer prompt firmware and software updates that we link to identified vulnerabilities on the cve.org website, and publish detailed security advisories when appropriate. We also publish and maintain clear end-of-life policies, ensuring customers understand how long their old devices will continue to receive critical updates, and how customers can help ensure device security.

Engagement with the Security Community

TP-Link actively participates in global security initiatives and in the cybersecurity community. We are a registered CVE Numbering Authority, which means we take direct responsibility for identifying and publicizing cybersecurity vulnerabilities that could potentially affect our products. We engage with third-party partners on activities including security testing of our products, bug bounty programs run on a prominent industry platform, and hacking competitions such as the Zero Day Initiative’s PWN2OWN. Independent researchers and the security community can report potential issues to us at security@tp-link.com. 

Continuous Improvement and Accountability

We back up our words with actions. Our continuous integration/continuous delivery (CI/CD) pipeline allows us to catch issues earlier, and findings from ongoing penetration testing directly inform our product roadmaps. We measure success by the speed at which we respond to vulnerabilities, how effectively we reduce their overall volume, and the trust feedback we receive from customers.

In short, TP-Link strives to be a leader in IoT and networking security, while acknowledging that security is never final and always evolving. By working with industry experts, embracing government guidance and standards, and maintaining an unwavering focus on improvement, we ensure that our customers can trust our devices, today and in the future.