Vulnerability Disclosure

We are committed to building and implementing a comprehensive “End-to-End Global Cybersecurity Assurance System” as a key strategy for our company. Through robust policies, organizational structures, procedures, management practices, technologies, and standards, we have established a sustainable and reliable vulnerability management system. We encourage users, partners, suppliers, and others who discover potential security risks or vulnerabilities related to our products and solutions to proactively report them to us via email (service@senergytec.com). To facilitate the verification and identification of vulnerabilities, please include, but do not limit your report to, the following information in the email.

    • Provide the name of your organization, job title, and contact details.
    • Include a detailed description of the potential security risk or vulnerability you have identified.
    • Provide technical details such as system configuration, identification method, detailed description & screenshots of the exploit, sample capture, proof of concept (PoC), steps to reproduce the problem, etc.
    • Specify the product, model, software/firmware version where the security risk or vulnerability is observed.
    • Outline the plans for disclosing the vulnerability.
    • For any reported suspected vulnerabilities, we will work with the product team to analyze and verify the issues, determine the feasibility of remediation plans, and provide reliable and timely remediation solutions.

Handling Mechanism

We will implement a strict vulnerability information handling process, limiting access to only those personnel involved in addressing the vulnerability. Additionally, we require individuals who report the vulnerability to keep it confidential until it is publicly disclosed.

We publicly disclose security vulnerabilities through the following two approaches:

    • Security Advisory: A Security Advisory includes information such as the severity level of the vulnerability, business impact, and remediation plan, and is intended to communicate the remediation plans. Security Advisories are used to publish information directly related to product vulnerabilities and their remediations.
    • Security Notice: A Security Notice contains responses to public security topics related to the products, covering both vulnerability-related and non-vulnerability-related issues. Security Notices are used to publish information assessed by the SSR as Informational issues, such as those discussed in public platform (e.g., blogs or discussion lists). Additionally, in special scenarios where there might be widespread public concern about product vulnerabilities or active exploitation of vulnerabilities is observed, Security Notices are also used to inform relevant clients about our response progress regarding the vulnerabilities.
    • For detailed CVSSv3 standards, please refer to the link:  https://www.first.org/cvss/specification-document
    • Following the principles outlined above and in compliance with industry standards ISO/IEC 30111, ISO/IEC 29147, SO/SAE 21434, we have established a comprehensive vulnerability management process. We are committed to maximizing client protection and mitigating the risk of vulnerability exploitation.

Response Mechanism

Progress Updates

We will send an email confirmation within 24 hours of receiving your report and keep you updated on the progress.