ASR is committed to providing secure and reliable products. The Product Security Incident Response Team(PSIRT) is dedicated to handle security vulnerabilities related to ASR’s products and services based on ISO/IEC 30111 and ISO/IEC 29147 and other industry standards.

We follow CVE.org’s definition of a vulnerability as:

“A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).”

ASR does appreciate security researchers, industry organizations, government agencies and/or customers can contact us to report suspected security vulnerabilities related to ASR products. You can submit potential vulnerabilities to our PIRST team by sending email to product-security@asrmicro.com.

To help us better handle the potential vulnerabilities, please provide information in details as much as possible, that including but not limited in:

· Your organization and contact information
· Description of the potential vulnerability, vulnerability type and impact
· Products and versions affected
· Reproduce procedures
· Expected correct behavior or workaround
· Information about known exploits, if any

We’re truly appreciate the reporters who followed the practice of responsible disclosure and did not disclose the vulnerabilities publicly until remediations are ready or an embargo period has elapsed. Likewise, ASR is committed to keeping the sensitive information secret for customers before repairing and disclosing the vulnerabilities. We will respond within 2~3 working days to the vulnerabilities you submit.

We follow ISO/IEC 30111 and ISO/IEC 29147 suggested procedures to manage the potential vulnerabilities no matter from external or internal.

Figure1 Vulnerability Response Process

When the vulnerability has been confirmed and any necessary updates are generally available, ASR uses security advisories[link to: Security Bulletins] to publish information about security fixes in our products and to publicly thank[link to: Acknowledgements]   the people and/or organizations that have reported suspected vulnerabilities to us.

We use the Common Vulnerability Scoring System (CVSS) v3.1 to assess the severity of vulnerabilities in our products. For those low severity level vulnerabilities, ranking CVSS score is less than 4.0, we will fix them but might not publish them. A CVE number will be assigned for the resolved high profile vulnerabilities.