INTRODUCTION

This vulnerability disclosure policy applies to any software and security vulnerabilities you are considering reporting to Universal Electronics Inc. (“UEI”), referred to in this document as “Company”. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.  

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary or any rewards for vulnerability disclosures.

PURPOSE AND SCOPE

The purpose of this Vulnerability Disclosure Policy is to ensure that a finder can easily report a security vulnerability.  

Security plays a crucial role in the development and lifecycle of systems, products and services. By having a mechanism for users to report vulnerabilities, UEI can respond to users directly, receive information to address any associated risks, and make improvements to reduce risks.  

The scope of this policy is to meet the baseline requirements of ETSI EN 303 645, Provisions 5.2-1 and 5.2-2, as well as the GPDR. They are:  

Provision 5.2-1 The manufacturer shall make a vulnerability disclosure policy publicly available. This policy shall include, at a minimum:

• contact information for the reporting of issues; and

• information on timelines for:

1. initial acknowledgement of receipt; 
2. status updates until the resolution of the reported issues.  

Provision 5.2-2 Disclosed vulnerabilities should be acted on in a timely manner.  

A "timely manner" for acting on vulnerabilities varies considerably and is incident-specific; however, conventionally, the vulnerability process is completed within 90 days for a software solution, including availability of patches and notification of the issue. A hardware fix can take considerably longer to address than a software fix. Additionally, a fix that has to be deployed to devices can take time to roll out compared with a server software fix.

DEFINITIONS & Acronyms

• CVSS – Common Vulnerability Scoring System
• CWE – Common Weakness Enumeration
• Finder - any person who discovers and reports a vulnerability in a system, product or service
• manufactured by UEI or its subsidiaries.
• GPDR – General Data Protection Regulation; set of rules created by the European Union.
• IP - Intellectual Property
• UEI – Universal Electronics Inc.
  

REPORTING

If you believe you have found a security vulnerability of UEI’s product or software, please submit your report to us using the following website link: https://www.uei.com/report-a-vulnerability

Go to the dropdown menu at the top where it says About, choose Contact Us. Go to the section and click Report A Vulnerability. You will be asked to provide the following information: 

Vulnerability Details:

• Asset (web address, IP Address, product or service name) where the vulnerability can be observed
• Weakness (e.g. CWE) (optional)
• Severity (e.g. CVSS v3.0) (optional)
• Title of vulnerability (mandatory)
• Description of vulnerability (this should include a summary, supporting files and possible mitigations or recommendations) (mandatory)
• Impact (what could an attacker do?) (mandatory)
• Steps to reproduce. These should be benign, non-destructive, and a proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

Optional Contact Details:

• Name
• Email Address

WHAT TO EXPECT

After you have submitted your report, we will use our best effort to respond to your report within 5 working days and aim to triage your report within 10 working days. We will also aim to keep you informed of our progress.  

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire about the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.  We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers vulnerability adequately. 

Once your vulnerability has been resolved, we request that you do not release or make public the report without UEI’s written consent.

GUIDANCE

After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We will also aim to keep you informed of our progress.  

Do NOT:  

• Break any applicable privacy laws or regulations 
• Access or attempt to access Company’s confidential information or trade secrets
• Access unnecessary, excessive or significant amounts of data 
• Modify data in the Company's systems or services 
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities 
• Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests 
• Disrupt the Company's services or systems

REFERENCE DOCUMENTS

UEI policies are often associated with other policies and/or technical reports. The following policies and procedures provide additional guidance and direction relevant to this Policy. 

• ETSI TR 103 838 v1.1.1 Cyber Security; Guide to Coordinated Vulnerability Disclosure
• ETSI TR 103 621 v1.2.1 Guide to Cyber Security for Consumer Internet of Things,
  • Section 6.6, Provision 5.2-1
  • Section 6.7, Provision 5.2-2