EFSRC Vulnerability Disclosure Plan

Ecoflow attach great importance on its products and services, and is committed to creating reliable product ideas and protecting user privacy. At the same time, we realize that the security researchers play an important role in protecting Ecoflow products and consumers, so we release this EFSRC (Ecoflow Security Response Center) Vulnerability Disclosure Plan. This Plan can provide a security channel for the researchers to report Ecoflow products and application security issue, also it includes some effective measures for classifying and mitigating this security vulnerabilities.

We sincerely appreciate with the researchers who comply with the disclosure plan and who not to public vulnerabilities information within the time required for resolving vulnerabilities. If vulnerability information is disclosed in advance, Ecoflow users will face higher risks. If you find any security vulnerabilities or other problems in any domain names which belongs to or affiliated with Ecoflow, please reference this Plan to apply vulnerability submission process.

To protect our users, Ecoflow will not disclose, discuss or confirm any security issues until investigation is finished and any necessary updates are launched.

Please read the policies, terms and conditions of this Ecoflow vulnerability disclosure plan carefully before learning about this plan. If you disagree with the policy or terms of this plan, you can stop to use it also we will not provide you any related services. If you continue to use it, it means that you fully understand and accept the following policies and terms.

  1. Disclosure Plan—Basic Principles

    EFSRC attaches great importance to the security problems of its own services and products. We will have specialist to following, analyzing and handling every reported problem with timely reply.

    EFSRC fully recognizes the responsible vulnerability disclosure and handling process. For each user who abides “White Hat” spirit, protects user interests and helps Ecoflow improve security quality, we will appreciate and give back to them.

    EFSRC may need help from reporter when following the reported issues. For effective follow-up, it requires the reporter assist to repeating the issue together. Ecoflow opposes and denies all reporting of concealing vulnerability details or resistance to assist. Ecoflow will give appropriate rewards to the reporters who submit high-quality report and provide effective help in the process of report, feedback and active response for follow-up.

    EFSRC opposes and denies all acts of using security vulnerabilities to intimidate users, attack and extort competitors.

    EFSRC opposes and denies all attacks caused by vulnerabilities, including but not limited to attacking business systems, stealing user data, stealing virtual assets, injecting dirty data and malicious propagation through vulnerabilities.

    EFSRC believes that the resolving of each security vulnerability and the progress of the security industry depend on the cooperation of all parties. We hope that every enterprise, security companies, security organizations and security researchers can join the “responsible vulnerability disclosure” process together to build a safe and healthy internet.

    When submitting a Security Vulnerability Report to EFSRC, we request you allow us a reasonable amount of time to investigate and handle the problems mentioned in your report before you share or publicly report any information contained in it with any third party.

    You will not use the security problems found by yourself for any reason, including disclosing the security problems in any way, causing extra risks, attempting to damage the sensitive data of the company, or probing for other problems.

    You will not violate any other laws or regulations.

    You will not violate any privacy terms, privacy regulations or interfere with others, including but not limited to unauthorized access, data damage and interruption or degradation of our services.

    You have read, agree to and comply with EFSRC’s Security and Privacy Policy and Disclosure Responsibility Policy, Terms and Conditions.

  2. Disclosure Plan—Terms and Conditions

    You may not allow to Use, Disclose, Store or Record in any Manner when you inadvertently or intentionally access to any Ecoflow or Ecoflow-affiliated brand, exclusive customer, employee or business-related information during Test. Any access to such data must be reflected in relevant vulnerability reports.

    By submitting potential security vulnerability information to EFSRC, it means you grant Ecoflow a global, permanent, royalty-free, non-exclusive license to use the reports you submit to resolve security vulnerabilities in Ecoflow or the products and services of associated parties.

    Before submitting a security vulnerability report to EFSRC please make sure that the vulnerability information is not disclosed to anyone other than Ecoflow.

    Any disclosure without EFSRC’s prior written consent will violate the terms and conditions of this Plan.

  3. Disclosure Plan—Vulnerability Report Submission Process

    If you believe a security vulnerability has been identified in one of our products or platforms, please sent an email to efsecurity@ecoflow.com and provide a vulnerability detail report. We need the following information on your report:

    Your Name/Operation and websites on your report (if select).

    Appendix Detailed Product information in the Report Template.

    The vulnerability report submitted by the users will be feedback within 3 workdays, Vulnerability Fixing Period:

    Vulnerability Type Fix time
    Critical/High-Risk Vulnerability 3 days
    Medium-Risk Vulnerability 30 days
    Low-Risk Vulnerability 90 days

    After receiving a suspected vulnerability, we will evaluate its effectiveness and scope of impact, release a security notification and disclose the information related to vulnerability fixing.

  4. Disclosure Plan—Security Notification

    Security Notifications are the main way to publish vulnerability information related to our products and services, it can be found on our official website. We publish Notifications when we have useful solution, Mitigation measures or fixes for a particular security breach. However, if this vulnerability has been widely known by the security community, we may release an announcement with any solution.

    If a third party informs Ecoflow of a possible vulnerability in a product, Ecoflow will investigate and may cooperate with the third party to disclose the vulnerability. Ecoflow may receive information about a security breach from a service provider under a confidentiality/disclosure’s agreement or injunction. In these cases, Ecoflow will not be able to provide the details of the security vulnerability, but will cooperate with the supplier to request the release of the security fixing program.

    Ecoflow will not publish security notification about Open-Source vulnerabilities, but may do when appropriate. Open-source fixes can be identified in the release note by assigned CVE. Accept and collect suspected product vulnerabilities.

    The following information will include on Security Notification (if applicable).

    Overall impact, which is a text representation of the severity (that is critical, high, medium, low and information). The CVSS severity evaluation indicator is used to give the highest CVSS basic score to all identified vulnerabilities.

    Affected Products and Versions;

    CVSS basic sore and vector of all identified vulnerabilities;

    All CVE identifiers of identified vulnerabilities, so that the information of each unique vulnerability can be shared across various vulnerability management functions (such as vulnerability scanners, repositories and services tools);

    A brief description of the vulnerability and its potential impart once exploited;

    A detail description of the correction method,including updates/workarounds information;

    Category of vulnerability:

    • Proprietary code – Hardware, software or firmware developed by Ecoflow.
    • Third-party components – Free distributed hardware, software or firmware by being packaged into or integrated into the Ecoflow products;
    • Others reference (if applicable).

    We acknowledge the vulnerability researchers or discovers with their consent.

  5. Disclosure Plan-Vulnerability Classification

    Grading standard apply to security vulnerabilities and issues which affecting Ecoflow business.

    EFSRC security vulnerability including hardware products, Web applications, App applications, applet, generic components or plug-ins vulnerabilities which used for business.

    EFSRC follows standard industry best practices to specify the potential impact of vulnerabilities on a “critical”, “high”, “medium”, or “low” vulnerability score or rating. EFSRC uses the Common Vulnerability Scoring System Version 4.0(English version) (CVSS v4.0) to communicate the characteristics of vulnerabilities in Ecoflow products.

    System CVSS
    Critical 9.0-10
    High 7.0-8.9
    Medium 4.0-6.9
    Low 0.1-3.9
    Information 0
  6. Disclosure Plan—Vulnerability Amendments

    After investigating and verifying the reported vulnerabilities, we strive to develop and determine the appropriate Amendments for the Ecoflow Products during effective support period. Amendments may take one or more following catalogs:

    New versions of the effected products which provided by Ecoflow;

    Patches can be installed on effected products which provide by Ecoflow;

    Instructions for updates or patches which download and install from third party vendors, can mitigate the risk effected by vulnerability;

    Corrective procedures or workarounds which published by Ecoflow, instruct users to mitigate the risk effected by vulnerability.

    Ecoflow makes every effort to provide compensatory measures or corrective actions within the shortest commercially reasonable time possible. Response timelines depend on many factors, such as:

    • The critical of the vulnerability;
    • The complexity of the vulnerability;
    • The affective scope;
    • The workload or impact of the amendment;
    • Product Lifecycle.
  7. Appendix: Report Template

    1) Software vulnerability report template

    • 1) Software name-the general name for this solution
    • 2) Production version
    • 3) Host operation system-if any
    • 4) Host operation system version
    • 5) Expected function
    • 6) Function after use
    • 7) Steps to reproduce the vulnerability
    • 8) Source code example-if any
    • 9) Discoverer’s contact information-the best way to contact the discoverer
    • 10) Other parties involved-if any, to coordinate disclosure
    • 11) Disclosure plan-When to disclose the Discoverer plan
    • 12) Threat/risk/impact assessment-what content is perceived by the discoverer as a threat, risk and impact (high, medium, low)
    • 13) Configuration-system and hardware configuration details

    2) Hardware vulnerability report template

    • 1) The hardware model shown on the product package
    • 2) The version of the hardware
    • 3) Expected function
    • 4) Functions after use
    • 5) Steps to reproduce the vulnerability
    • 6) Source code example-if any
    • 7) Discoverer’s contact information-the best way to contact the discoverer
    • 8) Other parties involved-if any, to coordinate disclosure
    • 9) Disclosure plan-When to disclose the Discoverer plan
    • 10) Threat/risk/impact assessment-what content is perceived by the discoverer as a threat, risk and impact (high, medium, low)
    • 11) Configuration-hardware configuration details (connections, software, debug connection, etc.)

    3) Cloud service report template

    • 1) Discover time and date-if known
    • 2) Uniform Resource Locator (URL) for the service
    • 3) Browser configuration-if used
    • 4) The input required to reproduce the vulnerability
    • 5) The steps to reproduce the vulnerability
    • 6) Source code example-if any
    • 7) Discoverer’s contact information-the best way to contact the discoverer
    • 8) Other parties involved-if any, to coordinate disclosure
    • 9) Disclosure plan-When to disclose the Discoverer plan
    • 10) Threat/risk/impact assessment-what content is perceived by the discoverer as a threat, risk and impact (high, medium, low)
    • 11) System configuration-if related to vulnerability