Security strategy

Public feedback interface

Security researchers can notify Linkplay of security vulnerabilities in devices.

Linkplay official website

https://linkplay.com

Contact of Linkplay’s security department

security@linkplay.com

Security report from independent security expert

Linkplay has signed a partnership with Security Corporation, who will provide a security test report for Linkplay’s devices.

Software vulnerability monitoring

Monitor the public information of the following websites through regular and continuous monitoring.

• CVE (http://cve.mitre.org/)

• NVD (https://nvd.nist.gov/)

• CWE (http://cwe.mitre.org/)

Software maintenance update strategy

Monitor version updates for third-party components and update to the latest version to avoid the existence of known vulnerabilities. Fixes for severity vulnerabilities will be bundled in existing updates.

When any vulnerability is identified, update the firmware as follows:

1.   Vulnerabilities identified by customers, users, etc.

2.   A security related review meeting must be held immediately and the corresponding solution needs to be presented.

In particular, participants must include security technology manager, project development manager, firmware architecture manager, and Technical Director.

CVSSv2 will be used as a reference standard for assessing and prioritizing vulnerability.

3.   According to the solution, the developer performs the specific implementation.

4.   Code review. Reviewers should include security technology manager and project development.

5.   Release firmware.

6.   QA team test the firmware. If there are any problems, go back to step three.

7.   Code merged into trunk branch.

8.   The project manager notify customers that they need to update the software and get customer’s upgrade confirmation.

9.   Perform OTA on the corresponding project.

Security response plan

If security incident arises, the incident must be treated as the highest priority urgent. CEO and CTO

must be aware of this incident and participate in incident handling.Iftheincidentisasoftwaremaintenanceissue,thenitwillbehandledaccordingtotheprocessof the “Software maintenance update strategy” in thisdocument.Atripartitemeetingshouldbeheldimmediately.TheparticipantsareLinkplay,OEMS.The meetingneedstocollectinformation,clarifythesituationoftheaccident,andestimatedtimelines for remediation of anincident. If there is a special major impact incident, Linkplay will discuss the timelines for remediation with customer.