Disclosure Policy

Introduction

SEMOOKII BESS CO., LTD. (hereinafter referred to as "SEMOOKii") is committed to the safety and security of our products. If a vulnerability is discovered, we work to resolve it and publish updates. This document describes the process to submit reports to SEMOOKii regarding potential security vulnerabilities in our products, and our practices for informing customers and other affected entities of verified vulnerabilities.

Vulnerability Handling Process

To clarify the basic position and proposition of SEMOOKii on vulnerability management, SEMOOKii adheres to the following most basic principles for the response and disclosure process of vulnerability management:

Preliminary investigation: attempts to identify potential vulnerabilities.
Root cause analysis: attempts to determine the root cause of the vulnerability.
Further investigation: attempts to find other instances of the same type of vulnerability in a product or service.
Prioritization: For each affected product or online service, there may be different severities of the same basic issue.
Possible situations of handling vulnerabilities: Non-reproducible vulnerability. Known Repeat Bug - the issue is a repeat vulnerability that has been resolved or fixed through this process. Obsolete Product Error - the vulnerability exists in a product that is no longer supported. Non-Security Error - the issue is a bug that has no security implications or is not currently exploitable by known techniques. Third Party Error - The vulnerability is caused by third party code, configuration, or exists in a specification that is not directly responsible for it.
Develop vulnerability remediation strategies: Solution decisions: determine ways to fully address the vulnerability, reduce the impact of the exploited vulnerability, or reduce exposure. Generate fix patches: generate patches, fixes, upgrades or documentation or configuration changes to address the vulnerability.
Test remediation strategies (patches): Develop and execute appropriate tests to ensure that vulnerabilities are addressed on all supported platforms.
Issue vulnerability fixes: Online service vulnerability solutions: follow the organization’s production system update deployment or configuration change process.
Product vulnerability solutions: For affected users who must take certain steps to protect themselves from vulnerabilities in their products (e.g., install patches).
Case maintenance: Further updates to the solution may continue after the solution has been released.
Secure development lifecycle feedback: se information obtained during root cause analysis to update the development lifecycle to prevent similar vulnerabilities from occurring in new or updated products or service.
Monitoring: For online service vulnerabilities, the stability of the product or service is monitored after remediation has been applied. Post-patch release monitoring for development can help focus communications to the majority of affected users.

Contact SEMOOKii about a potential vulnerability

Contact SEMOOKii via the following contact infomation, if you have identified a potential security vulnerability in one of our products. Your report will be reviewed, and appropriate personnel will contact you to follow up if required. We will strive to acknowledge receipt of your report within 2 business days and to provide a preliminary response within 7 business days.

If you have any questions, comments, or advice regarding this policy, please contact SEMOOKii at:
SEMOOKII BESS CO., LTD.
No. 2399 Fazhan Ave., Haimen Port New Area, Jiangsu 226156 P.R.China
Tel: +86 21-60970158
Email: service@semookii.com; sales@SEMOOKii.com; uhoo@semookii.us; mail@semookii-ehoo.com.

Please do not include any data in your report that could violate the privacy of any user without first obtaining informed consent from such user and making arrangements to properly encrypt and safeguard that information before submitting it to SEMOOKii. SEMOOKii disclaims any liability for such personal information submitted to SEMOOKii without SEMOOKii’ request or consent.

Security Advisories

If there are security advisories related to our products, such advisories will be posted on the "Company News" page under the heading of "Blogs" in our website www.semookii.com. For example: https://www.semookii.com/Blogs.

Generally, we will issue an advisory when practical workaround or fix has been issued for a particular vulnerability.

In cases where a third party, such as a security researcher, notifies us of a potential vulnerability, we will investigate and may publish a coordinated disclosure along with such third party. If we receive a report under a confidentiality agreement, we will still work to release a security fix but may only be able to provide limited information about the vulnerability.

SEMOOKii strives to address vulnerabilities and other issues within the time of 90 days after such vulnerabilities or issues are reported. We may request additional time to address an issue when appropriate, usually in cases where third parties are impacted and a coordinated response is required.

Severity and Impact

SEMOOKii follows industry-standard practices in measuring and reporting vulnerabilities’ potential impact, following the current version of the Common Vulnerability Scoring System (CVSS). Details about the CVSS system can be found here.

Our advisories typically document a list of known SEMOOKii products affected by the vulnerability, as well as the appropriate path for obtaining a fix or workaround. In most cases, this will be through an ecosystem update mechanism such as Windows Update.

When possible, we will list all affected versions of the product. Our suggestions may refer to "the version released before a specific date" or "the version released within a specific time period". If you need more detailed information, you can contact service@semookii.com; uhoo@semookii.us; mail@semookii-ehoo.com.

Acknowledgement

When applicable, and with permission, SEMOOKii will acknowledge the researcher or finder of the vulnerability and thank them for their efforts in improving our products.