Vulnerability Response and Disclosure Process

Recipient

Monitor and and assign received vulnerabilities in a timely manner

Verification

Verify the vulnerability and confirm the exploitability and impact

Solution Development

Provide effective fix solutions or risk remediations measures

Affected Scope Confirmation

Investigate and confirm the complete scope of affected products

Release SA

Review and publish the security advisory for the security vulnerability

Report Vulnerabilities

You can report vulnerabilities through via email. The following are the detailed reporting methods:

Mailbox

wilde.qi@hnk-intl.com

The email should include at least the following information:

- Your organization and contact information

- Products and versions affected

- Description of the potential vulnerability

- Information about known exploits

- Disclosure plans

- Additional information, if any

Attention

Although we encourage investigation of potential security breaches, we cannot tolerate any activity that may interfere with legitimate users or may violate applicable computer abuse, cyber security and data protection regulations. Therefore, the following activities are prohibited:

- Modification or destruction of data

- Service disruption or degradation, such as DoS

- Disclosure of personal, proprietary or financial information

Response Time

After receiving the vulnerability you reported, we will send you vulnerability response related information within 48 hours based on the platform you used to report the vulnerability, as follows:

For vulnerabilities reported via email, we will send you a vulnerability response notice, information confirmation and feedback related to the vulnerability via email. The progress of the vulnerability's solution development will also be continuously updated through email as soon as possible.

* Note: Actual vulnerability response time may vary depending on the risk level and complexity of the vulnerability.

Vulnerability Disclosure Instructions

flowfix discloses security vulnerabilities in its products in two ways:

- Security Advisory (SA): When the vulnerability has been confirmed, we will disclose detailed information about the vulnerability and the corresponding fix within 180 days of completing the vulnerability analysis and developing a fix plan through a SA.

- Security Notice (SN): When a potential vulnerability is discovered or noted externally, but we have not confirmed the vulnerability yet, we disclose the basic information of the vulnerability and our investigation progress through an SN.

The vulnerability information shall be kept confidential until flowfix releases the Security Advisory or Security Notice to the public.

Flowfix supports 5-year product software updates.

*Note: The actual vulnerability disclosure time may be adjusted based on the disclosure plan of the publisher, the vulnerability solution development plan, the negative impact that the solution may bring, and the vulnerability disclosure plan of other service providers.