Public feedback interface
Security researchers can notify Vifa of security vulnerabilities in devices.
Vifa official website :https://www.vifa.dk
Contact of Vifa’s security department :firstname.lastname@example.org
Software maintenance update strategy
Monitor version updates for third-party components and update to the latest version to avoid the existence of known vulnerabilities.
Fixes for severity vulnerabilities will be bundled in existing updates.
When any vulnerability is identified, update the firmware as follows:
- Vulnerabilities identified by customers, users, etc.
- A security related review meeting must be held immediately and the corresponding solution needs to be presented. In particular, participants must include project development manager, Technical Director and outside party who is responsible for firmware development. CVSSv2 will be used as a reference standard for assessing and prioritizing vulnerability.
- According to the solution, the developer performs the specific implementation.
- Code review. Reviewers should include security technology manager and project development.
- Release firmware.
- QA team test the firmware. If there are any problems, go back to step three.
- Code merged into trunk branch.
- The project manager notified customers that they need to update the software and get customer’s upgrade confirmation.
- Perform OTA on the corresponding project.
Security response plan
If a security incident arises, the incident must be treated as the highest priority. Top management must be aware of this incident and participate in incident handling.
If the incident is a software maintenance issue, then it will be handled according to the process of the “Software maintenance update strategy” in this document.
A internal meeting should be held immediately. The participants are Vifa and the solution providers. The meeting needs to collect information, clarify the situation of the accident, and estimated timelines for remediation of an incident. If there is a special major impact incident, Vifa will discuss the timelines for remediation with customers.