Sungrow Product Security Incident Response Team (PSIRT) is a dedicated team that receives, investigates, and discloses security vulnerabilities in Sungrow products. Sungrow defines vulnerabilities as exploitable security issues which, once exploited by attackers, could compromise the integrity, availability, or confidentiality of products. A vulnerability is not equivalent to a quality defect. A quality defect is triggered under certain conditions, without being exploited by an attacker, while a vulnerability must be exploited by an attacker before being triggered.
Sungrow PSIRT makes the following commitments:
We use IEC 62443-4-1 to manage its security management and development processes.
We take actions to reduce vulnerabilities in our products and services to reduce or eliminate the harm and security risks caused to customers/users by Sungrow product/service vulnerabilities.
We promptly provide risk mitigations to customers/users after vulnerabilities are found in our products and services.
We actively identify our vulnerability management responsibilities and requirements (including applicable laws/regulations on business operation, contract requirements, and applicable public standards) and build a system to proactively manage vulnerabilities.
We will continue to optimize our vulnerability management processes and standards, learn from industry standards and best practices, and improve our vulnerability management maturity.
Reporting Suspected Vulnerabilities
Sungrow supports the responsible vulnerability disclosure and handling process, and encourages security researchers, industry organizations, customers, and suppliers to report suspected Sungrow product vulnerabilities to Sungrow PSIRT. If you have found the vulnerabilities, you can email the description of the vulnerability (including the specific product model, software version, etc.) to psirt@sungrow.cn and leave your contact information, we will follow up and feedback the security vulnerabilities which you have reported as soon as possible.
Throughout the vulnerability handling process, our PSIRT strictly ensures that vulnerability information is transferred only between relevant handlers. We sincerely request you to keep the information confidential until a complete solution is available to our customers. We sincerely request you to keep the information confidential until a complete solution is available to our customers. We will take necessary and reasonable measures to protect the obtained data based on legal compliance requirements. We will not proactively share or disclose the data to others unless otherwise required by law or by the affected customer.
Vulnerability Response Process:
After receiving any suspected vulnerability, our PSIRT will work with the relevant product team to analyze/validate the vulnerability, assess its severity based on its actual impact on products, determine its remediation priority, and develop remediations (including mitigations, patches/versions, and other risk mitigations that can be implemented by customers).
When discovering vulnerabilities in the products or services provided by a supplier during product development, delivery, and deployment, we will proactively contact the supplier for vulnerability remediation.
The following is the handling process:
1.PSIRT will organize the SDD team analyzes the problem immediately after receiving it, and provides the problem analysis report and solution to customer service within 24 hours;
2.Resolve network security issues within 72 hours, provide the version available for upgrade (the version path will be provided separately) to the software testing department for testing, and provide a problem resolution report (including the root cause and solution of the problem);
3.If the problem cannot be resolved within 72 hours, please provide a temporary prevention method, and have the software testing department team verify the method;
4.After the software testing department tests the new software, there are no problems and a test report needs to be issued. The SDD department decides whether to upgrade based on the test report. If an upgrade is required, the SDD team will provide a version upgrade plan proposal to the customer service department. After approval by the customer service department, the two teams will jointly complete the software upgrade of the operating terminal and the hardware in production;
5.After the upgrade event is completed, the SDD team will lead a comprehensive review of the event and output an "event review report" (including a review of the cause of the problem, handling plan, and subsequent improvement measures).
6.Before the completion of the closure of the network security incident, the SDD Department will notify the relevant responsible person of the work progress every day, and the responsible person of all relevant personnel will review the "incident review report" to mark the completion of the incident processing.
Response Processing Time
Service Level | Level Name | Level Definition | SLA | Emergency Response Time | System Recovery Time |
L0 | Core services | In case of any exception, it will affect all main business. | 24h | 7 days
| 30 days |
L1 | Key services | Once exceptions occur, it will affect some branch business. | 24h | 10 days | 30 days |
L2 | General services | Once the exception occurs, the main business process will not be affected. | 24h | 15 days | 60 days |
L3 | Peripheral services | Once the exception occurs, it is imperceptible to users. | 24h | 30 days | 90 days |