1. Purpose

This policy establishes a structured approach to identifying, evaluating, mitigating, and disclosing cybersecurity vulnerabilities in our products. It aims to protect our customers and stakeholders by ensuring timely and effective management of potential security risks.

2. Scope

This policy applies to all standard products developed, manufactured, or distributed by ATOP, including hardware, firmware, and software components. Customized or non-standard products may be subject to separate agreements or policies.

3. Definitions

• Vulnerability: A weakness in a product that could be exploited to compromise its security.
• PSIRT: Product Security Incident Response Team responsible for managing product security incidents and vulnerabilities.
• CVSS: Common Vulnerability Scoring System used to assess the severity of vulnerabilities.

4. Roles and Responsibilities

• PSIRT: Leads the vulnerability management process, including assessment, coordination, and communication.
• Product Development Teams: Collaborate with PSIRT to investigate and remediate vulnerabilities.
• Quality Assurance: Validates the effectiveness of remediation efforts.
• Customer Support: Communicates with customers regarding vulnerabilities and available mitigations.

5. Vulnerability Reporting

We encourage responsible disclosure of potential vulnerabilities. Reports can be submitted via Email: PSIRT@atop.com.tw

When reporting a potential vulnerability, please include as much of the following information as possible to help us better understand the nature of the issue and its potential impact.:

• Product name and model
• SW/FW Version – Description of the vulnerability
• Steps to reproduce: (include screenshots or code if possible)
• Common Weakness Enumeration (CWE) ID (if known)
• Common Vulnerabilities and Exposures (CVE) ID (if known)
• CVSS score (if known)
• CVSS vector string (if known)
• Proof-of-concept or exploit code
• How an attacker could exploit this vulnerability
• Packet captures of the attack process
• Any additional information you would like to provide

6. Vulnerability Management Process
6.1. Acknowledgment of Submission
Upon receiving a vulnerability report, the ATOP PSIRT will issue an initial acknowledgment within two (2) business days and initiate a preliminary assessment to determine next steps.

6.2. Classification & Evaluation
Each reported issue is thoroughly reviewed to verify its legitimacy and determine its potential impact, exploitability, and scope. Severity is evaluated using the Common Vulnerability Scoring System (CVSS), with supplementary risk analysis based on internal models.

6.3. Investigation
The PSIRT works closely with engineering and product development teams to investigate the root cause, confirm which product versions are affected, and evaluate whether the issue extends beyond the initially reported scope.

6.4. Corrective Action and Mitigation
Depending on the severity, appropriate remediation strategies are formulated. These may include software or firmware patches, configuration adjustments, or temporary mitigation measures. In urgent or high-impact scenarios, interim guidance may be issued prior to a full resolution.

6.5. Disclosure
After a resolution is available or deemed necessary, a Product Security Advisory will be published. These advisories outline the nature of the vulnerabilities, affected products and versions, CVSS-based severity rating, and recommended actions for customers to mitigate associated risks.

7. Severity Classification

8. Communication
We provide security advisories via the following channels:.

• Critical vulnerabilities: Through direct email notifications or bulletins to affected customers.
• Product documentation: Updates to product manuals or firmware release notes.
• Website updates: Security advisory listings on our official support page
• Optional: Monthly email summaries for registered users listing recent cybersecurity-related product changes

To receive these updates, customers can register on the ATOP website using an approved business email address.

9. Policy Review
This policy will be reviewed annually or upon significant changes to ensure its effectiveness and alignment with industry standards.

10. Disclaimer
This policy and associated procedures may be updated without prior notice. We make no guarantees to address or disclose all reported issues. Use of the information in this document or related advisories is at your own risk.

Simply fill in the relevant details in the form and we will get back to you shortly with a solution.