Sungrow Product Security Incident Response Team (PSIRT) is a dedicated team that receives, investigates, and discloses security vulnerabilities in Sungrow products. Sungrow defines vulnerabilities as exploitable security issues which, once exploited by attackers, could compromise the integrity, availability, or confidentiality of products. A vulnerability is not equivalent to a quality defect. A quality defect is triggered under certain conditions, without being exploited by an attacker, while a vulnerability must be exploited by an attacker before being triggered. 

Sungrow PSIRT makes the following commitments:

We use IEC 62443-4-1 to manage its security management and development processes.

We take actions to reduce vulnerabilities in our products and services to reduce or eliminate the harm and security risks caused to customers/users by Sungrow product/service vulnerabilities.

We promptly provide risk mitigations to customers/users after vulnerabilities are found in our products and services.

We actively identify our vulnerability management responsibilities and requirements (including applicable laws/regulations on business operation, contract requirements, and applicable public standards) and build a system to proactively manage vulnerabilities.

We will continue to optimize our vulnerability management processes and standards, learn from industry standards and best practices, and improve our vulnerability management maturity.

Reporting Suspected Vulnerabilities

Sungrow supports the responsible vulnerability disclosure and handling process, and encourages security researchers, industry organizations, customers, and suppliers to report suspected Sungrow product vulnerabilities to Sungrow PSIRT. If you have found the vulnerabilities, you can email the description of the vulnerability (including the specific product model, software version, etc.) to psirt@sungrowpower.com  and leave your contact information. Generally, you will get an email of confirmation within 1 working day from submission; an email of verification within 7 working days.Subsequently, we will keep you updated with the latest progress during the vulnerability handling process. 

Throughout the vulnerability handling process, our PSIRT strictly ensures that vulnerability information is transferred only between relevant handlers. We sincerely request you to keep the information confidential until a complete solution is available to our customers. We will take necessary and reasonable measures to protect the obtained data based on legal compliance requirements. We will not proactively share or disclose the data to others unless otherwise required by law or by the affected customer.

Vulnerability Response Process:

After receiving any suspected vulnerability, our PSIRT will work with the relevant product team to analyze/validate the vulnerability, assess its severity based on its actual impact on products, determine its remediation priority, and develop remediations (including mitigations, patches/versions, and other risk mitigations that can be implemented by customers). 

When discovering vulnerabilities in the products or services provided by a supplier during product development, delivery, and deployment, we will proactively contact the supplier for vulnerability remediation.