Bouffalolab has always been actively committed to ensuring the high security of our products and software solutions.We deeply recognize that security incidents pose potential threats not only to our own business but also to products of our customers.We understand that security incidents are an ongoing challenge that can have significant impacts on our business and products of our customers. Therefore, we attach great importance to these issues and actively take preventive and mitigating measures to ensure that your products and our business are protected from potential risks.To address potential security incidents that may arise in Bouffalolab hardware products and software solutions, we have established the following detailed process.
In this document, we will highlight the process and solemnly commit to regularly reviewing and updating it to ensure its effectiveness and alignment with industry best practices. We are firmly committed to maintaining the security of your products and our business, ensuring peace of mind for both parties.
The process consists of four main parts: report incident, evaluate issue, corrective actions, and public disclosure.
Anyone, including internal staff, external customers, or researchers, can report security issues to Bouffalolab.
Reporters can describe security issues by downloading the following form and then sending it to bugreport@bouffalolab.com
to report the security issue.
When reporting a potential security issue, please provide as much detailed information as possible to ensure accurate assessment of the vulnerability.
Include, but not limited to, the following:
• A clear and concise title that specifies the affected product, including the product name and model.
• Detailed problem description, including the software version, hardware version, tools version, and other environmental factors during testing. Additionally, describe the discrepancies between the expected and actual test results and clarify the potential impact on security.
• Complete steps to reproduce the issue, including detailed test code (compilable and executable), debug logs, and any other relevant information.
It is important to note that providing sufficient information significantly reduces the time required for vulnerability assessment and helps ensure a prompt resolution. We emphasize that thorough information is crucial for the swift and accurate handling of potential security vulnerabilities. Insufficient information may delay the diagnosis and resolution process for the reported vulnerability.
In consideration of the sensitivity of the information being shared, Bouffalolab strongly advises that all security vulnerability reports should be submitted in an encrypted format, using the Bouffalolab PGP/GPG key.
• Fingerprint: 6A09 EE04 49A2 2119 4E08 68F8 B3A8 1AA6 3D76 870D
• Public Key File (ZIP, 4 KB)
Please access the following free software to read and author PGP/GPG encrypted messages:
• Gpg4win
• Verify that the assessment report includes all necessary details, such as information provided, priority assignment,and confirmation of tracking methods.
• Conduct technical analysis and issue validation at the technical level to determine its potential impact on the product. Additionally, assess security risk and categorize the issue.
• Time estimate–1 month.
• Produce fix or mitigation actions if the potential vulnerability is verified.
• Communicate the response to the report submitter and others where appropriate.
– Timeline and version(s) for any fixes. Ask the issue reporter to verify the patch (if applicable).
– Timeline estimated to publish advisory (if any).
• Deploy the fix and mitigation actions.
• Time estimate–about 2 months.
On agreed disclosure date:
• Publish the public advisory document, including any findings, impacts, remediation activities or security enhancements plan for our product roadmap.
• Notify affected Bouffalolab customers, if necessary.
• Time estimate–about 3 months
Bouffalolab values the contributions made by security researchers and the significant role they play in enhancing thesecurity of our products.To ensure the effectiveness of security incident response, we will confirm receipt of the report to the reporter with in 24 hours via bugreport@bouffalolab.com.
During the coordinated vulnerability disclosure process, Bouffalolab maintains strict confidentiality of sensitive information. Any information shared between Bouffalolab and the incident reporter will be kept confidential and only used for the purpose of addressing the reported vulnerability.We encourage security researchers not to disclose any unresolved or unpublished vulnerabilities without prior authorization from Bouffalolab.
Bouffalolab would like to express its gratitude to everyone who contributes to keeping our products and users safe.Their efforts and collaboration are crucial to continuously enhancing the security of our products. We will continue to work with security researchers to ensure that our products can withstand potential threats and provide users with a secure and reliable experience.
info@bouffalolab.com
support@bouffalolab.com
5F, Block A, Shared Space, No.9 Yunzheng Street, Research and Innovation Park, Jiangbei New District, Nanjing