Vulnerability Disclosure Policy

 

Ugreen Group Limited(hereinafter referred to as "We" or "Ugreen"), as a manufacturer of the products, attaches great importance to the security of its own products and business, and recognizes the importance of privacy and data security. The handling of each security vulnerability and the improvement of business security cannot be separated from the joint cooperation of all parties. If you discover or believe that you have discovered a potential security vulnerability in your use of our products, we encourage you to disclose your discovery to us as soon as possible in accordance with this Vulnerability Disclosure Policy. We promise that we have dedicated personnel to follow up, analyze and deal with the problems reported by each reporter,  and will reply in time.

 

1. Vulnerability feedback and processing process


[Vulnerability feedback]


If you believe that the products have vulnerabilities or security incidents that need to be reported, please fill out the following vulnerability report form. After you submit the vulnerability report form, we will automatically send it to nas-security@ugreen.com.

 

[Vulnerability Treatment Process]


Step 1: The reporter needs to provide detailed information about

the vulnerability.

Step 2: Ugreen checks and verifies the received vulnerability information and evaluates it.

Step 3: Fix the vulnerability and verify the repair of our products.

Step 4: Release a new version of the product for updates.

Step 5: Reply to reporter with processing results.

Step 6: Monitor the stability of the product after the update.

 

[Vulnerability Review Phase]


1. The report will be confirmed within 3 working day upon receipt and an initial assessment will be conducted.

2. Within 7 working days the assessment will be completed and the vulnerability will be fixed or a remediation plan developed.

 

[Vulnerability Fix & Completion phase]


1. Critical vulnerabilities will be fixed within 3 working days after completion of assessment.

2. High risk vulnerabilities will be fixed within 7 working days after completing the assessment.

3. Medium risk vulnerabilities will be fixed within 30 working days after completing the assessment.

4. Low-risk vulnerabilities will be fixed within 60 working days after completing the assessment.

Certain vulnerabilities are subject to environmental or hardware limitations, and the final repair time will be based on the actual situation.

A separate emergency security bulletin is issued for severe or significant impact vulnerabilities.

 

2. Vulnerability rating standards


According to the degree of harm of vulnerabilities, they are divided into four levels:extreme risk, high risk, medium risk and low risk.When we receive a vulnerability report, we take a series of steps to resolve it internally with reference to ISO/IEC 30111. All reported vulnerabilities are scored according to the Common Vulnerability Scoring System CVSS 3.1 criteria.

 

[Extreme Vulnerabilities]


1. Remote direct access to system permissions (server permissions, client permissions, smart devices) vulnerabilities, including but not limited to arbitrary code execution, arbitrary command execution, uploading and utilizing WebShell Trojans.

2. The core business system has logical design defects, including but not limited to any account password modification without any protection restrictions, any account login, etc.

3. It directly leads to serious information leakage vulnerabilities in the online business system, including but not limited to SQL injection vulnerabilities in the core DB.

4. Mobile terminal: Remote code execution vulnerability that can directly affect a large number of users without interaction.

5. Device side: Remote access to device execution permissions (such as downloading other user data, remote access to devices, etc.) in the Internet environment, there is no interactive remote command execution vulnerability in the Internet environment.

 
 

[High Risk vulnerability]


1. Vulnerabilities that directly lead to the leakage of sensitive information on online servers are including but not limited to core system source code leakage, server sensitive log file download, etc.

2. The core business system can use the identity of others to perform all functions of the vulnerability, the core business system important or sensitive unauthorized operation vulnerability.

3. Unauthorized access to the management platform and use of administrator functions, including but not limited to sensitive background administrator account login, the activity of the relevant platform, user base, functional importance, and user information sensitivity will be considered as high risk vulnerability rating criteria.

4. High risk information leakage vulnerability. Including but not limited to sensitive data leakage that can be directly exploited, leakage vulnerabilities that can lead to a large amount of user identity information.

5. SSRF vulnerabilities with echoes that can access the Ugreen Intranet.

6. Mobile terminal: Third-party applications use mobile client functions across applications to perform high-risk operations (such as file read and write, SMS read and write, and client data read and write), and high-risk sensitive information leakage.

7. Device: obtains device execution permission (such as downloading other user data or remotely accessing devices) from the near source or LAN. There is no interactive remote command execution vulnerability in the near source or LAN.

8. Device: Vulnerabilities that remotely cause permanent denial of service on devices are including but not limited to remote denial of service attacks on system devices (devices can no longer be used, completely permanently damaged, or the entire system needs to be rewritten), and attacks do not allow physical contact with devices, and attacks need to be quickly replicated in batches.

 

[Medium Risk vulnerability]


1. Ordinary information leakage, including but not limited to mobile client plaintext storage password, containing server or database sensitive information source code compression package download,etc.

2. The logical design defects existing in the system, such as payment loopholes,etc.

3. Vulnerabilities caused by weak authentication mechanism defects, including but not limited to sensitive function captcha can be brute force cracked, login interface no captcha, etc.

4. SSRF vulnerability without echo.

5. Vulnerabilities that require interaction to obtain user identity information, including but not limited to CSRF for sensitive operations, storage XSS, JSONP hijacking for sensitive information, etc.

6. Remote denial-of-service vulnerability that can disable some functionality of an online application (need to be proven to affect other users).

7. A vulnerability that causes a smart device to deny service. For example, a system device is subjected to a locally initiated permanent denial-of-service attack (the device can no longer be used: completely permanently damaged or the entire operating system needs to be rewritten ), a temporary denial-of-service attack

vulnerability caused by remote attacks (remote suspension or restart), and the attack needs to be able to quickly replicate in batches.

A vulnerability that allows ordinary business systems to use other people’s identities to perform all functional operations beyond their authority.
 

[Low Risk vulnerability]


1. Vulnerabilities that can be exploited in phishing attacks, including but not limited to URL redirection vulnerabilities.

2. Low-risk logic design flaws.

3. Minor information leakage vulnerabilities, including but not limited to path leaks,.git file leaks, and server side business log contents.

4. Vulnerabilities that can be exploited for phishing or hacking,

including but not limited to arbitrary URL adjustments and reflective XSS vulnerabilities.

5. Mobile terminal: local denial of service (including but not limited to denial of service caused by non-third-party Android component permissions), minor information leakage (only affecting individual users), etc.

6. A vulnerability that causes a device to temporarily deny service. This includes but is not limited to temporary denial-of-service attack vulnerabilities caused by local attacks (devices need to be restored to factory Settings).

 

[Ignoring the problem]


1. Bug issues unrelated to security, including but not limited to slow opening of web pages, messy formats, etc.

2. The submitted report is too simple and cannot be reproduced according to the content of the report, including but not limited to the vulnerabilities that cannot be reproduced even after repeated communication with the vulnerability auditor.

3. Unexploitable or harmless reports, including but not limited to hoax CSRF (no real impact on users), local denial-of-service that cannot affect others, Self-XSS, PDF XSS, non-sensitiveinformation leak (Intranet IP, domain name), mail bomb, etc.

4. No practical source code leakage.

5. The security problem in the non-Ugreen module of the hardware product, or the defect of the hardware itself.

6. Security issues that Ugreen proactively discloses or have been disclosed externally.

7. Security issues on Products, apps or WEB applications that are no longer maintained.

8.Vulnerabilities that Ugreen is able to self-validate internally known and have been fixed.

9. Denial of service caused by permissions of third-party Android

components.

 
Any information provided to Ugreen about vulnerabilities in products, including all information in product vulnerability reports Information that you transfer will be owned and used by Ugreen.

Ugreen reserves the right to modify this policy at any time.