Vulnerability Disclosure Statement

Vulnerability Disclosure Statement

We are committed to improving our product security, keeping them up and beyond current standard and best practice. In case a security vulnerability is detected, please share with us through the following process.

Reporting Procedure

  1. Please submit the report by visiting the Service Desk link.
  2. Please create a user account with your contact information using this link so we can respond to you accordingly.
  3. Please provide details on your finding regarding the vulnerability, including the following:
      1. Please provide product information, such as product name, software version and hardware revision;
      2. Please provide necessary network configuration used for the setup;
      3. Please provide detailed step to reproduce the issue;
      4. Please share reference code, if any;
      5. Please share your assessment, if available;
      6. If you have already shared this report with other organization, such as CERT/CC, NCSC, ICS-CERT, etc., please share the tracking number.
  4. Please use English to help expedite the process.
  5. Please avoid using any private information as much as possible in your report.

Product Security Vulnerability Report Assessment and Action

  1. We will acknowledge receiving your report within three business days with a tracking number.
  2. We will assign a contact person  for your case.
  3. We have our internal process in place to notify applicable  product team(s).
  4. We will keep you informed on the status of your report.
  5. If the vulnerability involves a component or service provided by a third party, we will refer the report to the appropriate  third party and notify you of such notification, with an option to include your contact information if you agree.
  6. Upon receiving a vulnerability report, we will
      1. Verify the reported vulnerability.
      2. Work on a resolution.
      3. Perform QA/validation testing on the resolution.
      4. Release the resolution.
      5. Share lessons learned with development teams.
  7. We will use existing customer notification and OTA processes to manage the release of patches or security fixes.

We appreciate your help and will acknowledge your contribution. We look for cooperation to address the issue together. The following notice shall be used as the guidelines for this engagement.

  1. Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data.
  2. As part of responsible co-ordination of vulnerability disclosure, we encourage you to work with us on selecting public release dates for information on discovered vulnerabilities. To minimize the possibility of public safety, privacy and security risks, we request your cooperation in synchronizing the release of information. Please inform us of your disclosure plans, if any, prior to public disclosure.
  3. The discloser’s actions must not be disproportionate, such as:
      1. Using social engineering to gain access to the system.
      2. Building his or her own backdoor in an information system with the intention of then using it to demonstrate the vulnerability, as doing so can cause additional damage and create unnecessary security risks.
      3. Utilizing a vulnerability further than necessary to establish its existence.
      4. Copying, modifying or deleting data on the system. An alternative for doing so is making a directory listing of the system.
      5. Making changes to the system.
      6. Repeatedly gaining access to the system or sharing access with others.
      7. Using brute force attacks to gain access to the system. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.
  4. We will provide full credit to researchers who make a vulnerability report or perform testing, in publicly released patch or security fix release information, if requested.

Notice:

In case you decide to share any information with UEI, you agree that the information you submit will be considered as non-proprietary and non-confidential and that UEI is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for UEI.