PAX Technology (hereinafter referred to as PAX) is committed to help ensuring the safety and security of our systems, products, services, and customers. PAX has formalized a process for handling reported security vulnerabilities, intended to give security researchers terms and conditions for conducting vulnerability discovery activities directed at publicly accessible related department at PAX, including any product, system, or asset belonging discovered vulnerabilities.
Reporters shall be aware that you cannot compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal. We support acts taken in good faith to discover and report vulnerabilities and commit to working with you to understand, confirm, and appropriately solve the vulnerability.
During the whole process, PAX will strictly control the scope of information distribution. PAX will request the reporting party keep the vulnerability confidential until PAX completes the fix and bulletin.
Submitting a Report
The vulnerability handling and disclosure process consist of the following four steps at PAX:
To report a security vulnerability affecting a PAX product or solution, please contact PAX using the ways described in the “Contact Information” section.
Particularly if you want to report a potential security issue, please use the word [VULNERABILITY] in the subject line. Please report the following information:
Organization and contact name
Summary of the vulnerability, including the type of issue, affected product/solution including model, hardware/software version and configuration
Steps to reproduce
Proof-of-concept exploit code or any attachments, if any
Recommendations on mitigation, if any
Disclosure plans, if any
PAX usually responds to incoming reports within two business days.
PAX investigates and reproduces the reported problem to test its vulnerability and assesses the risk level. During this stage, PAX will request more information from the reporter.
PAX usually takes three to ten business days to complete the verification.
PAX performs internal vulnerability handling in collaboration among the responsible development groups, and will works for vulnerability mitigation and recovery plans for all the affected products or solutions.
The time of this stage will vary in accordance with the risk level, impact and difficulty.
During this time, regular communication is maintained between PAX and the reporting party to inform about the current status.
If available, pre-releases of software fixes may be provided to the reporting party for verification.
After the patches or fixes are available for distribution, the process will step to the disclosure stage.With PAX’s consent, the reporting parties can conduct the CVE application for the specific vulnerabilities.
PAX will use existing customer notification processes to manage the release of patches or fixes and release a security advisory to inform PAX’s customers of information about a specific vulnerability.
A PAX Security Advisory usually contains the following information:
Description of the vulnerability with CVE reference and CVSS score
Known affected products and versions
Remediation solution and available fixes
Reporting source (internal or external)
Get in touch with PAX at VulnerabilityDisclosure@paxsz.com in any security-related questions on the PAX product or solution.
Please bear in mind that only emails composed in English or Chinese can be considered.
Use the Public PGP key (Key ID 8B23 89DC; fingerprint: F1C5 8104 CE21 B082 4AD7 88A4 66F0 4EBA 8B23 89DC) to encrypt your report.
For PAX partners, please use PAX Partner Network (PPN) to report issues about PAX products and obtain technical support. Contact your sales for PPN account if necessary.
Vulnerabilities identified by PPN are handled according to PAX's internal processes.