Weintek Product Vulnerability Handling and Disclosure Process

Weintek Technology Corp. ("Weintek") is committed to helping ensure the security of its products and the operational security of its customers. We encourage good-faith reporting parties to report potential security vulnerabilities that may affect Weintek products through the channels described on this page.

To reduce the risk that customers face from zero-day situations, Weintek supports coordinated vulnerability disclosure and, in the spirit of IEC 62443-4-1, tracks, analyzes, remediates, and discloses confirmed security vulnerabilities.

Weintek is prepared to work in good faith with individuals who submit vulnerability reports in accordance with this policy. Weintek does not intend to initiate legal action or request law-enforcement action against individuals for their security testing or vulnerability reporting activities, provided that they:

  • Adhere to applicable laws.
  • Engage in system testing or security research without harming anyone.
  • Ensure vulnerability testing does not adversely affect customers; where testing involves customer products, software, or other assets, obtain the customer's prior written authorization or consent before conducting any testing activities.
  • Perform coordinated disclosure, including refraining from disclosing vulnerability details, exploit code, or information that could enable attacks to the public before the expiration of a timeframe mutually agreed in writing, including by email.
  • Avoid any impact to the safety, security, or privacy of anyone.

Weintek's vulnerability handling and disclosure process consists of the following four steps:

1. Report

To report a security issue that may affect a Weintek product, please submit the vulnerability report form or contact Weintek through the dedicated mailbox: psirt@weintek.com.

Weintek accepts anonymous reports. To help protect sensitive vulnerability information from disclosure, reporting parties are strongly encouraged to use the PGP public key [8D84 07B7 D03D B864 3FBC B996 C566 3499 05B1 D7A1] to encrypt report contents during transmission. Weintek will respond to received reports within seven business days, with Taipei, Taiwan as the reference time zone.

To help us validate the issue quickly, please provide as much of the following information as possible:

  • Description of the vulnerability, affected scope, and possible attack scenario.
  • Affected product, model, software version, firmware version, or OS version.
  • Steps to reproduce, test environment, special configuration, packet captures, screenshots, or proof-of-concept code.
  • Whether the vulnerability has already been publicly disclosed, or has been reported to other vendors or coordination bodies.
  • Suggested CVSS score, CVE identifier, or any other information that may assist validation.

Weintek does not require reporting parties to sign a nondisclosure agreement (NDA) before submitting a vulnerability report. For good-faith security research and reporting that meets the following conditions, Weintek does not intend to initiate legal action or request law-enforcement action against individuals for their security testing or vulnerability reporting activities:

  • The reporting party adheres to applicable laws and does not improperly access, modify, delete, disclose, or exfiltrate data.
  • The testing activity does not harm anyone, affect customer systems, disrupt service availability, or endanger safety, privacy, or industrial-control operations.
  • Testing is conducted only in the reporting party's own environment, an authorized environment, or an environment where consent has been obtained from the system owner.
  • The reporting party cooperates with Weintek through coordinated vulnerability disclosure and does not publicly disclose vulnerability details, exploit code, or information that could enable attacks before the disclosure date mutually agreed in writing, including by email.
  • If the reporting party discovers an issue that may create immediate risk, data exposure, or operational impact, the reporting party immediately stops testing and reports the issue to Weintek.

Prohibited Actions: To protect customers and third parties, reporting parties must not engage in the following activities:

  • Unauthorized access to, acquisition of, modification of, deletion of, disclosure of, exfiltration of, or retention of any personal data, customer data, confidential data, or third-party data.
  • Launching or attempting any activity that may interrupt, degrade, or affect the stability of online production systems.
  • Using social engineering, phishing, spam, threats, extortion, physical intrusion, or personnel testing directed at employees, customers, partners, or third parties.
  • Testing customer environments, third-party systems, cloud services, or equipment not owned or controlled by the reporting party without explicit authorization.

If, during testing, the reporting party accidentally accesses non-public data, causes service impact, or discovers an issue that may create immediate risk, the reporting party must immediately stop testing, avoid further access to or sharing of data, and report the matter to Weintek without delay.

2. Analysis

After Weintek confirms receipt of the report, Weintek will create a tracking case for the vulnerability and, if needed, request additional information from the reporting party. Weintek will evaluate whether the report constitutes a product security issue and analyze the affected scope, reproduction conditions, severity, and customer risk.

3. Handling

Weintek will work with the responsible teams to determine fixes, updates, configuration changes, mitigations, or other risk-reduction measures. During this time, Weintek will maintain regular communication with the reporting party to provide current status updates and help ensure that the reporting party understands Weintek's handling status and expected timeline. If available, pre-release software fixes may be provided to the reporting party for verification.

4. Disclosure

After the issue has been successfully analyzed and, if necessary, a fix is required to address the vulnerability, Weintek will develop the corresponding fix and prepare it for release. Weintek will use existing customer notification processes to manage the release of patches.

Security advisories may, as appropriate, include the vulnerability description, CVSS score, CVE identifier, affected products and versions, fixed versions, mitigation measures, compensating controls or workarounds, recommended customer actions, and a clear publication date.


Revision History

  • V1.0 (2026-07-02): Publication