Security Reporting

We prioritize the safety of our digital infrastructure and the privacy of our users above all else. Our team is dedicated to engineering secure and dependable technology, and we recognize the vital contribution that independent security researchers provide in safeguarding our systems. To foster a transparent and collaborative environment, we have implemented a structured vulnerability disclosure policy and a comprehensive management lifecycle, both aligned with international standards such as ISO/IEC 30111 and ISO/IEC 29147. These frameworks ensure that any discovered security gaps are addressed systematically and with the urgency they require.

When evaluating the severity of potential security risks, we utilize industry-standard assessment models, such as the Common Vulnerability Scoring System, which allows for a detailed analysis of base, temporal, and environmental metrics. We encourage our community to consider their specific network environments when interpreting these scores, as this helps in making informed decisions about mitigation efforts. For simplicity, we also employ an internal Security Severity Rating system that classifies issues into categories ranging from informational to critical. This allows our security team to prioritize resources effectively and ensure that the most pressing threats are addressed first.

If you identify a security issue, we invite you to submit a formal report to our security team. Please include the specific model or version, the affected website or page, and a clear, descriptive summary of the vulnerability type. Crucially, your report should outline the steps needed to reproduce the issue. These steps must be non-destructive and serve as proof of concept to help our team verify the findings accurately. Providing clear documentation minimizes the chance of duplicate reports and prevents any unintentional exploitation of the vulnerability during the assessment process.

Our security response staff commits to acknowledging all incoming reports within a single working day. Once a report is received, we categorize the risk to determine the necessary response timeline. Serious vulnerabilities are assessed within twenty-four hours, while high-risk issues are reviewed within three working days. All other findings are evaluated within one week. If you believe a submission requires immediate, emergency attention, you may escalate your request by emailing our designated security address for expedited review and confirmation.

We manage vulnerabilities across the entire lifespan of our products, maintaining coverage until the end of service for each specific version. To ensure our users remain protected, we do not discuss or confirm security findings until we have completed a thorough investigation and prepared a verified patch or solution. We request that all reporters maintain strict confidentiality during this period and refrain from sharing unresolved issues with third parties or the public. Once a fix is verified, we will document the patch status in our software update notices, and we strongly encourage all users to apply these updates as soon as they become available.

The handling process begins with your submission through our official channels. Once a report is submitted, the information is finalized, so please verify the accuracy of your technical details beforehand. Our team conducts a detailed review of each submission, typically within five working days, to validate the impact and severity. Those who submit approved reports may be eligible for rewards such as company products, loyalty points, or digital currency. In cases where multiple researchers report the same vulnerability, rewards are granted based on the comprehensiveness of the report or the timestamp of the first submission, whichever is applicable. We do not provide duplicate rewards for the same issue.

We remind all researchers that any investigation must be conducted in strict compliance with applicable laws and regulations. You must not disclose, weaponize, or exploit discovered vulnerabilities for any reason. Any unauthorized or malicious use of this information is strictly prohibited and will lead to legal action. Our commitment to secure technology depends on the cooperation of ethical hackers who operate within these legal and professional boundaries, and we thank you for your ongoing partnership in keeping our digital environment secure and resilient for every user.