Collection of vulnerabilities

Feed back the corresponding vulnerabilities on the official website,

 

Submission process

1. Open the official website https://jackery.com/pages/contact

2. Fill in the required items according to the page requirements. You can select “product issue” or “others” to submit vulnerabilities from the “subject” option,

3. Click “Send ” after filling in

 

Definition of vulnerabilities

[Serious]

1. Vulnerabilities of remote direct access to system permissions (server permissions, client permissions, intelligent devices), including but not limited to arbitrary code execution, arbitrary command execution, and uploading and adoption of Trojan horses.

2. Mobile terminal: vulnerabilities of remote code execution.

3. Device terminal: vulnerabilities causing permanent denial of service on the device, including but not limited to permanent denial of service attack (the device can no longer be used: it is completely permanently damaged, or the entire system needs to be rewritten) initiated remotely by the system device, that physical contact with the device is not allowed during attack, and that the attack needs to be replicated in batches quickly

 

[High risk]

1. Vulnerabilities directly leading to disclosure of sensitive information of the online server, including but not limited to disclosure of source code of the core system, disclosure of information related to user account payment or the downloading of sensitive log files of the server.

2. Vulnerabilities that affect the normal operation of online services, such as denial of service of the application layer.

3. Logical design defects in the system, which can lead to unauthorized operation, such as unauthorized access to sensitive information.

 

[Medium risk]

1. General information disclosure, including but not limited to plaintext storage password of mobile client end, download of source code compressed package containing sensitive information of server or database, etc.

2. Logic design defects of the system, such as bypassing commodity postage, payment vulnerabilities, etc.

 

[Low risk vulnerabilities]

1. Vulnerabilities that can be exploited for phishing attacks, including but not limited to URL redirection vulnerabilities.

2. Logic design defects of the system.

3. Minor information disclosure vulnerabilities, including but not limited to path disclosure, .git file disclosure, and business log content of service side.

 

[Ignored problems]

1. Bug problems unrelated to security, including but not limited to slow opening of web pages and disordered styles.

2. The report submitted is too simple to be reproduced according to the report content, including but not limited to the vulnerabilities that cannot be reproduced through repeated communication with the vulnerability reviewer.

3. Products, APPs or modules not under maintenance

4. Vulnerabilities of general protocols such as WIFI, MQTT, BLE, and Zigbee

 

Vulnerability processing timeline

Type

Time for confirmation

Time for processing

Serious vulnerability

Within 6 hours

Within 12 hours

High-risk vulnerability

Within 12 hours

Within 24 hours

Medium-risk vulnerability

Within 24 hours

Within 48 hours

Low-risk vulnerability

Within 3 days

Within 7 days

Ignored problems

Within 7 days

Update with version iteration

 

Vulnerability processing

1. Solution decisions: The technicians should determine how to solve the vulnerabilities thoroughly, reduce the effects of successful use of vulnerabilities, or reduce exposure.

2. Fixing patch generation: The technicians should generate fixing patches, fix programs, and upgrade programs or change the documentation or configuration to solve the vulnerabilities.

3. Fix strategy testing (patches): The technicians should execute appropriate tests to ensure that all vulnerability problems on all supported platforms are solved.

 

Release/feedback of vulnerabilities

On-line service vulnerability solving scheme: The production system updating and arrangement or the configuration modification process of the organization should be followed

 

Vulnerability fixing

1. Solution decisions: The technicians should determine how to solve the vulnerabilities thoroughly, reduce the effects of successful use of vulnerabilities, or reduce exposure.

2. Fixing patch generation: The technicians should generate fixing patches, fix programs, and upgrade programs or change the documentation or configuration to solve the vulnerabilities.

3. Fix strategy testing (patches): The technicians should execute appropriate tests to ensure that all vulnerability problems on all supported platforms are solved.

4. For the affected users, some actions must be taken to protect the vulnerabilities existing in products (for example, installing patches).

Work after release of the fixing scheme.

5. You can also consult the after-sales department of Jackery 

through the official website directly to update to the latest baseline version.