Reporting a Product Security Vulnerability

If you have identified a vulnerability in an Uniview product, please report the issue to the Uniview Security Response Center by sending an email to security@uniview.com.

We will follow established processes to address them and provide timely feedback.

Coordinated Disclosure

Wherever possible, we aim to work with reporters to coordinate the public disclosure of an issue and, upon request, will acknowledge the reporter of a vulnerability in our public security bulletins. If you wish to include information about an Uniview  vulnerability on a public website or other medium, we ask that you work with us to coordinate the disclosures.

Managing vulnerabilities can be a complex process and a pre-determined timescale for resolution will rarely fit all circumstances.Accordingly, Uniview will often need sufficient time to develop  patches, mitigations and disclosures before an issue can be made public.

Product Security Incident Response Process

1.Receive

Uniview is informed of a suspected vulnerability by email at security@uniview.com.

We monitor security problems and receive vulnerability reports initiatively.Uniview will respond to vulnerability reports as soon as possible, usually within seven business days.If necessary, we will communicate with the reporter to confirm details and request assistance.

2.Verification

the Uniview Security Response Center and related products verification, confirm and evaluate risk levels for the security problem.

Uniview is a CVE Numbering Authority (CNA),we will check whether the discoverer, or other people already aware of the problem, have allocated a CVE number. If not, we will acquire a CVE candidate number ourselves, and make sure that everyone who is aware of the problem is also aware of the CVE number.

3.Solution

We formulate mitigation measures, develop for fixing the vulnerability, and develop security early warning strategy.

4.Disclosure

Official disclose vulnerability information when security problem have precautionary measures and fix patches.

the Uniview Security Response Center will strictly control the spread of vulnerability information and limit it to the person who handles the vulnerability. It also requires the vulnerability reporter to keep the vulnerability confidential until it is publicly disclosed.

the Uniview Security Response Center provides Base Metrics and Temporal Metrics for vulnerabilities based on the CVSSv3.1(Common Vulnerability Scoring System). Based on Customers’ environment, they can get Environmental Metrics according to their own needs.

Uniview publishes Common Vulnerabilities and Exploits (CVE) records. Where appropriate, Uniview will publish an accompanying CVE on the date of disclosure.

If you have any queries about the Uniview Product Security Incident Response process, please email security@uniview.com