中文/EN
Stock Code:  603893
Vulnerability Disclosure Policy Acknowledgements

1. Scope of Responsibilities

Rockchip Product Security Incident Response Team (PSIRT) is responsible for receiving, investigating, and disclosing the security vulnerability information related to Rockchip products and solutions. We encourage that professional researchers, organizations, government agencies, and vendors report relevant security vulnerabilities to Rockchip PSIRT.

PSIRT is responsible for the following security issues:

  • Security incidents in hardware or software of Rockchip products
  • Defects in safety information or recommendations in Rockchip documents, e.g., datasheets and application notes
  • Security-sensitive documents or security-related information found in places where they should not be provided
  • Security-sensitive Rockchip products found in places where they should not be provided

PSIRT is not responsible for the following issues:

  • Vulnerabilities in Rockchip IT systems, such as the website. Still, you can send the relevant information to PSIRT, which will be forwarded to the appropriate Rockchip teams.
  • Any other supports or events. E-mails regarding product support and other unrelated topics will not be responded by PSIRT.

2. Process

Rockchip PSIRT Process

a. Detect vulnerabilities

To timely process security vulnerabilities, we must detect them in the first place. On the one hand, Rockchip encourages security researchers, organizations, customers, and vendors to report potential vulnerabilities to Rockchip PSIRT in a timely manner. On the other hand, Rockchip keeps monitoring well-known public vulnerability repositories, open-source communities, and security websites to detect vulnerabilities related to Rockchip products. When a potential vulnerability is reported to Rockchip PSIRT, PSIRT confirms the receipt of the report and notifies the appropriate technical team to analyze the vulnerability.

b. Analyze vulnerabilities

For any potential vulnerabilities reported to Rockchip PSIRT, the technical team analyzes them as soon as possible and confirm the validity and influence of the vulnerabilities; Rockchip uses the most popular Common Vulnerability Scoring System (CVSS) to analyze the severity of vulnerabilities.

c. Define solutions

Vulnerability severity levels are assessed based on the actual impact to determine the priorities according to which solutions are provided. Rockchip develops patches or updates software versions for the affected products, and conduct sufficient tests to ensure the effectiveness.

d. Release solutions

Rockchip releases the patches or software versions to customers, and notifies customers in the Security Advisory (SA) or software release notes, so that customers make risk policies accordingly.

e. Optimize solutions

Rockchip collects feedbacks from customers and optimizes the solutions when necessary. We will also continue to improve the vulnerability handling process.

3. How to Report

Potential security vulnerabilities can be reported by using email: PSIRT@rock-chips.com . Since vulnerability information is relatively sensitive, we strongly recommend that you use our PGP Key when reporting security vulnerabilities to Rockchip PSIRT.

4. Policies

We are committed to providing safe, reliable, and innovative products for customers. In order to maximize the efficiency of analyzing, resolving, and disclosing security vulnerabilities, we urge you to comply with the following policies when you submit vulnerability reports.

Disclosure Policies

  • Security vulnerabilities must be related to defects in hardware or software of Rockchip products or in Rockchip documents regarding security information or recommendations (e.g., datasheets and application notes).
  • Security issues are yet unknown to Rockchip and are only reported to Rockchip.
  • All security information must be kept confidential before being disclosed.
  • Invasion of privacy, disruption of the product ecology, and destruction or tampering of data are not allowed.
  • When different persons submit the same security issue, only the first one is listed in our security acknowledgement.
  • Security vulnerability submissions may be additionally restricted by applicable laws.
  • Your tests should not violate any laws, nor destroy or affect any data that does not belong to you. This policy is consistent with the general vulnerability disclosure practices. Any activities that violate laws or may result in the breach of legal obligations are not allowed.
  • Rockchip reserves the right to determine the eligibility of submissions.

Note: Rockchip does not sell chips directly to end-users. Rockchip only sells chips to manufacturers and provides SDKs and materials to them, and the manufacturers develop the code provided by Rockchip based on their own requirements. Therefore, Rockchip does not provide technical support for end-users. If you have problems using Rockchip products, please contact the manufacturers for technical support. We would like to thank the individuals and teams who report valid vulnerabilities and work with us in responsible disclosure.

Thanks will be given to the individuals and teams who report valid security vulnerabilities and cooperate with us during disclosure.

PGP KEY

Rockchip public PGP Key for communication.

Because vulnerability information is relatively sensitive, we strongly recommend that you use our PGP public key (key ID: B12ADB4F; PGP fingerprint: 55B7 E7AE E8B8 D1DB 1ED2 7EB2 E180 A02D B12A DB4F) for encryption when reporting potential security vulnerabilities to Rockchip PSIRT.

You can also copy the following PGP Key: Rockchip public PGP Key