1. Policy Objective

LuxpowerTek is committed to delivering secure and reliable products and services to our global customers. We encourage security researchers, partners, and clients to report potential vulnerabilities through responsible disclosure practices, enabling us to promptly address and mitigate risks.

2. Reporting Process

To submit a vulnerability report, please use the following channels:

E-mail

security@luxpowertek.com (PGP encryption recommended)

Online Form/Security Portal

Details of any dedicated security portal will be announced separately

Please include the following information in your report:

  • Affected product model and firmware/software version
  • Detailed description of the vulnerability and steps to reproduce (or Proof of Concept)
  • Analysis of potential impact
  • Contact information for follow-up communication

TIPS:

To ensure responsible disclosure, please refrain from publicly disclosing the vulnerability until an official fix has been released.

3. Security Testing Scope and Compliance Boundaries

Permitted Testing Activities

  • Local device testing
  • Network communication analysis
  • Configuration and permission validation

Prohibited Activities❌

  • Unauthorized access or theft of user data
  • Exploitation of vulnerabilities causing service disruption or damage
  • Large-scale scanning or denial-of-service attacks targeting production environments

4. Vulnerability Response Process and Timeline

LuxpowerTek adheres to international best practices and has established a standardized response process for handling vulnerabilities:

  1. Acknowledgment: Within 5 business days of receiving a report, we will confirm receipt.
  2. Validation and Assessment: Our security team will validate the vulnerability and assess its risk level using the CVSS v3.1 standard.
  3. Remediation Plan: Depending on the severity, we will develop a fix or mitigation plan.
  4. Comunicação: We will maintain contact with the reporter throughout the process, requesting additional information as needed.
  5. Public Discl osure: Upon resolution, a vulnerability advisory will be published in our security bulletin, with acknowledgment to the researcher if consent is provided.

The typical resolution and disclosure timeline is 90–120 days, with critical vulnerabilities prioritized for expedited handling.

5. Vulnerability Severity Classification

Vulnerabilities are classified based on the CVSS v3.1 standard as follows:

Low (0.1–3.9)

Minimal impact, resolved in subsequent iterations.

Medium (4.0–6.9)

Limited impact, addressed in routine software updates.

High (7.0–8.9)

High-impact vulnerabilities prioritized for prompt resolution.

Critical (9.0–10.0)

Immediate remediation with urgent patch release.

6. Notice

Coordinated Disclosure Principles

LuxpowerTek adheres to a CVD(Coordinated-Vulnerability-Disclosure) model to ensure vulnerabilities are not publicly disclosed prior to the release of a patch.

Researchers are requested to provide a reasonable remediation window, typically 90 days, to facilitate timely resolution.

Legal Exemption

Provided that vulnerability testing and disclosure are conducted in accordance with this policy, LuxpowerTek will not pursue legal action against researchers and will consider such activities as good-faith security research.

Disclaimer

This policy may be updated to reflect industry developments and legal requirements. LuxpowerTek assumes no warranty or liability for any direct or indirect losses resulting from vulnerability disclosure or delays in remediation.