Positec Security Center

Report Vulnerabilities

You can report the discovered security vulnerabilities through the following methods.

Mailbox

security@positecgroup.com

As the vulnerability information is extremely sensitive, we strongly recommend you download and use our public PGP key (key ID EA4E2C1E; fingerprint: 261F BDCE 3BFA C4CE 77E4 41E7 D50E C964 EA4E 2C1E) to encrypt the information before sending it to us.

The email should include at least the following information:

- Your organization and contact information

- Products and versions affected

- Description of the potential vulnerability

- Information about known exploits

- Disclosure plans

- Additional information, if any

Vulnerability handling process

Vulnerability Acceptance

Our company receives reports of suspected security vulnerabilities from external sources, including customers, external professional teams, and others. We encourage responsible disclosure by providing us with a reasonable period of time to address and resolve the issue prior to public disclosure. Please do not discuss or disclose product vulnerabilities or intelligence details in any public forum or platform without permission.

Analysis and Verification

For each security vulnerability report received, our team will immediately start the analysis and investigation work, and quickly complete the reproduction and impact assessment of the vulnerability. During the analysis and verification phase, our team will maintain communication with the reporter to improve the accuracy and timeliness of the vulnerability analysis.

Solution Development

The team combines root cause analysis, conducts impacted product troubleshooting work, develops remediation programs (including temporary circumvention programs - mitigation measures), and develops and tests the programs to ensure that they are effective. For vulnerabilities that have been disclosed, solution development needs to be completed quickly.

Disclosure: Publishing security notifications of security vulnerabilities

During the incident handling process, our team actively maintains communication with vulnerability reporters, product development, vendors, and customers to transparently disclose issues and provide mitigation measures and solutions to customers.

Closed-loop improvement: collect and summarize customer opinions and practices used to guide the continuous improvement of the company's products.

When the customer implementation of the solution, the need to monitor the effectiveness of the program and the emergence of problems, and according to the feedback of the program iteration, the implementation of closed-loop management; through the review, continuous improvement of the company's product development, improve quality and safety.

Response time

After receiving the report, we will acknowledge it within 3 business days and conduct an initial assessment. Evaluation will be completed within 7 business days, and we will either fix the vulnerability or devise a remediation plan.

When to fix:

Critical risk vulnerabilities will be fixed within 7 business days. High and medium risk vulnerabilities will be fixed within 30 business days. Low risk vulnerabilities will be fixed within 180 business days. Please note that some vulnerabilities may be subject to environmental or hardware limitations. Final timelines will be determined based on actual circumstances.