群聯電子股份有限公司 - Security Vulnerability

Security Vulnerability

Report product security vulnerability

Phison values its customers and is committed to preventing any malicious information leaks, falsification, or unforeseeable faults in the products and services Phison provide.

In addition to establishing a product security management framework to ensure the delivery of secure and reliable products, Phison is dedicated to minimizing cybersecurity risks associated with them to the greatest extent possible. 

Thank you for reporting security-related issues to Phison. Your report helps us improve product security, and we appreciate your responsible disclosure.

We are committed to handling every report with transparency, respect, and promptness.

Recommended Information to Include in Your Report

To help Phison evaluate your submission as quickly as possible, it is recommended that you provide the following information:

Detailed information about Phison products, including product name, part number, hardware/software version.
How and when the potential vulnerability was discovered, and by whom
Technical description of the vulnerability, including any related (1) known exploits and (2) existing CVE ID(s)
Your contact information, so that Phison is able to ask any necessary follow-up questions

Please send the security report to:Email住址會使用灌水程式保護機制。你需要啟動Javascript才能觀看它

Our Handle Flow Summary

Acknowledgment: Phison will send a confirmation email of receiving your report.
Initial Assessment: Our security team will evaluate the impact and priority.
Fix & Verification: If valid, we will arrange for patching, internal testing, and external verification. Multiple rounds of communication may occur.
Disclosure (if applicable): After mitigation, Phison may publish an advisory, CVE ID, and technical details per our responsible disclosure policy.

Responsible Disclosure & Safe-Harbor Statement

To encourage responsible disclosure, we commit not to pursue legal action or notify law enforcement against reporters who follow these principles (unless other illegal activities are involved):

Only test systems and resources you are authorized to access.
Avoid unnecessary disruption or data damage to production systems.
Collect only minimal data necessary for reproduction; avoid downloading sensitive user data.
Do not publicly disclose vulnerability details or PoC (proof-of-concept) before remediation, unless mutually agreed.
Cease testing immediately if requested by us.

This Safe-Harbor does not apply to malicious behavior or criminal activities such as fraud, extortion, or data theft.