Rules for Vulnerability Submissions

Penetration testing must not violate applicable laws, ensuring that all tests comply with the law.

Make best efforts to avoid violating privacy, disrupting the production environment, and destroying or manipulating data.

The vulnerability is unknown to Unisoc.

Make sure not to disclose any vulnerability-related information and news before the time of information disclosure.

When multiple submissions by different researchers occur, only the first one who reports the security issue to us, will be mentioned on our Security Acknowledgments.

We will

We’ll respond within a maximum of 3 to 5 business days upon receiving the initial report. Please send us again if you do not get feedback after a week.

We’ll try our best to complete the Unisoc vulnerability handling process within 90 days, including releasing security patches to our OEM partners or communicating with the stakeholders.

A CVE number will be granted for the resolved Unisoc security issue.

We’ll fix the low severity level vulnerabilities. But we generally do not assign CVEs for this level issues.

Our vulnerability ratings include critical, High, Medium, and Low. Unisoc currently has no corresponding reward plan. For contributors, we offer Security Acknowledgments.

Vulnerability Severity

Unisoc rates and evaluates the severity level of the identified vulnerabilities based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). If there are additional factors that are not captured adequately in the CVSS score, we reserve the right to deviate from its guidelines.

Disclaimer

Unisoc reserves the right to update all the above information at any time without notice