PAX Vulnerability Disclosure Program

PAX Technology Limited (hereinafter referred to as “PAX”, we, us or our) is committed to improving the security of our products and services to fully support the secure operations of our customers' networks and services. We encourage security researchers, industry organizations, customers, and suppliers to report to us the suspected vulnerabilities associated with publicly accessible assets of PAX. PAX has established a process for handling reported suspected vulnerabilities.

 

Security researchers shall place our users’ interests at the forefront and respect the privacy of users. PAX encourages the interest parties to discover and report vulnerabilities legally and commits to working with security researchers to understand, confirm, and appropriately resolve the vulnerability. Vulnerability information shall not be disclosed by you to anyone outside PAX before being submitted to PAX. Without PAX’s written consent, any disclosure to the public would violate the terms and conditions of this Program.

 

PAX urges the reporting party to follow the Responsible Disclosure Policy, which involves privately notifying us of any security vulnerabilities before fully disclosing them to allow us to resolve the vulnerabilities and minimize any overall risk to users. During the entire process, PAX will strictly control the scope of information distribution. PAX will request the reporting party to keep the vulnerability confidential until PAX has completed the fix.

HANDLING PROCESS

PAX's vulnerability handling process consists of the following four steps:

Identify

Verify

Remediation

Release

- Organization and contact information; 
- Where the device was acquired; 
- Affected product/service, including model name, serial number (SN), hardware version (PN), OS or software version;
- Summary of the vulnerability, including issue description, type of vulnerability; 
- The impact (arbitrary code execution, information disclosure, etc.) and severity estimate;
- Technical details, procedures for reproducing the issue;
- Proof-of-Concept(PoC) or other substantial evidence;
- Vulnerability attack scenario description, including prerequisites for the attack, trigger conditions, and whether interaction with the victim is required;
- Recommendations for mitigation.

 

To report a potential vulnerability affecting a PAX product or solution, please contact PAX using the methods described in the Contact Information section.

 

Particularly, if you need to report a potential vulnerability please include the word [VULNERABILITY] in the subject line. If the report submitted by you is incomplete, incorrect, duplicate or false, PAX will not handle it..

Identify

Required Information (Please using the template for reporting suspected vulnerabilities):

Verify

PAX investigates and reproduces the potential issue. 

 

Generally, the verification process can be completed within 10 working days. Considering the complexity of potential issues, this period may be extended by 1 month where necessary.

Remediation

PAX performs internal vulnerability handling in collaboration with the responsible security and development groups, and will maintain vulnerability mitigation and recovery plans for any affected products or solutions.

 

The duration of this phase will vary in accordance with the risk level, impact and difficulty.

 

Release

If applicable, patches or fixes will be available via normal release channels.

Please contact PAX at VulnerabilityDisclosure@paxsz.com  with any security-related issues on the PAX product or solution.


Please note that only emails sent in English or Chinese can be considered. 


Use the Public PGP key (Key ID 8B23 89DC; Fingerprint: F1C5 8104 CE21 B082 4AD7 88A4 66F0 4EBA 8B23 89DC) to encrypt your report.

 

CONTACT INFORMATION

DISCLAIMER

Notwithstanding any terms and conditions mentioned above, for the purposes of identifying and assessing a vulnerability report, including but not limited to the effectiveness of the vulnerability, the eligibility of a report, and the severity level of the vulnerability, PAX reserves the right of final interpretation. Meanwhile, PAX reserves the right to pursue legal actions against illegal testing and disclosing actions in accordance with the applicable laws and regulations.

PAX usually responds to complete and correct reports submitted by you within 5 working days. If a reply email is not delivered, please make sure the email from PAX has not been marked as junk.