Last Updated: 2024-03-13

I. Purpose

Our company is committed to ensuring the security and stability of our products and service systems. We welcome collaboration from partners and independent security researchers to report any vulnerabilities that may affect the security of our products or services to our Product Security Incident Response Team (PSIRT) in accordance with this policy.

Scene of DrayTek Vulnerability Disclosure Policy

II. Vulnerability Definition

Any unauthorized errors, defects, vulnerabilities, or other issues directly affecting the operation of products or the security of services.

III. Scope

This policy applies to all products and servers providing external services for the company.

IV. Vulnerability Reporting Guidelines

Security researchers can report vulnerabilities through the following methods: Please send an email to [email protected] to submit information. If you wish to protect your submitted content, please download and use this PGP key.

To provide an effective response, vulnerability reports should include the following information:

  • Specific product model and firmware version or server details
  • Vulnerability description: Detailed explanation of the vulnerability's principle and proof of concept (PoC).
  • Reproduction steps: Provide necessary tools, code, and steps to effectively assist in reproducing the issue.
  • Vulnerability impact: Describe the potential impact of the vulnerability.
  • Contact information: Provide your name, email address, and other contact details.

V. Vulnerability Handling Procedure

The company will acknowledge the receipt of the vulnerability report within one business day. After receiving the vulnerability report, the company will assess the vulnerability, following the Common Vulnerability Scoring System (CVSS). The assessment timeframe depends on factors such as severity, complexity, and scope of impact. Once the vulnerability is confirmed as valid, the company will develop a remediation plan within 30 days and provide a solution within 90 days of issue confirmation. After solution confirmation, the reporter will be notified, and the reporter can apply for a CVE ID. After CVE ID confirmation, the company will publicly disclose the issue and the solution on the website, including firmware version information.

VI. During the Vulnerability Handling Period, Adhere to the Following Agreements

  • Keep the information about discovered vulnerabilities confidential until the resolution is released.
  • Prohibit potential or actual damage to the systems or applications of the company and users.
  • Prohibit exploiting vulnerabilities to view unauthorized data or damage any data.

VII. Reward Measures

The company will provide rewards to security researchers based on the severity and impact of the vulnerability. Reward measures include appreciation letters and gifts.

VIII. Disclaimer and Reservation of Rights

The company reserves the right to handle vulnerability reports at its discretion, including deciding whether to fix the vulnerability, the time to fix the vulnerability, and the method of providing rewards. The company reserves the right to modify this policy. The final interpretation of this policy belongs to the company.