Security

Security Strategy

Edifier places great importance on the security of its products and business systems, recognizing the valuable assistance of security researchers and the community in enhancing Edifier's security levels. We commit to assigning dedicated personnel to follow up, analyze, and address every issue reported by researchers promptly and provide timely responses.


Edifier adheres to and supports responsible vulnerability reporting processes, respecting the research efforts of every white-hat researcher. We sincerely welcome all white-hat researchers to report vulnerabilities to Edifier, and we will express gratitude and provide feedback based on the quality of the vulnerability.


Edifier prioritizes user interests and endeavors to protect the interests of Edifier users to the greatest extent possible.


Public Feedback Interface

If you encounter any issues while using Edifier's products, please reach out to us via email at xy_li@edifier.com


Our dedicated team will promptly communicate with you via email. Upon receiving the vulnerability report, we commit to acknowledging it within 7 days. Subsequently, we will maintain regular contact with the reporter, providing progress updates at least every 30 days until the vulnerability is resolved. 


When submitting a security report, please include the following information in your email:

1. Please provide detailed information regarding the vulnerability. Additionally, if you can include its exploitability and potential impact, it would be more helpful for us.

2. Outline the step-by-step process to reproduce the vulnerability.

3. Furnish comprehensive details about the testing environment, including:

· The URL/APP affected by the vulnerability, along with any relevant code snippets. For devices, please specify the model.

· Preserve the data from your testing and submit it as an attachment to your report.

Note: Failure to provide this information may impede our assessment of the vulnerability.


Edifier is committed to collaborating with you and will make every effort to understand and resolve the vulnerability expeditiously.


The scope of valid vulnerability reports includes:


Edifier opposes and condemns the following behaviors and reserves the right to pursue legal action:

1. Acts that exploit vulnerabilities under the guise of testing to cause harm and damage user interests, including but not limited to stealing user data, privacy, and virtual assets.

2. Attacking Edifier's systems using vulnerabilities, causing system crashes or failures.

3. Threatening, extorting, or maliciously exaggerating the impact of vulnerabilities to cause public panic.

4. Irresponsible vulnerability disclosure, maliciously spreading vulnerabilities, or publicly disclosing, disseminating, or trading vulnerabilities before they are fixed.

5. Harmful or uncontrollable security testing behaviors.

6. Testing behaviors that violate universally recognized international laws or local regulations.

7. Failure to properly safeguard the data during the vulnerability testing process, resulting in losses to Edifier.


If you have any questions during the testing process, please feel free to contact Edifier (support@edifier.com), and we will provide detailed guidance.


Security report from independent security expert

Edifier has signed a partnership with Security Corporation, who will provide a security test report for Edifier’s devices.


When any vulnerability is identified, update the firmware as follows:

1.  Vulnerabilities identified by customers, users, etc.

2.  A security related review meeting must be held immediately and the corresponding solution needs to be presented.  In particular, participants must include security technology manager, project development manager, firmware architecture manager, and Technical Director. CVSSv2 will be used as a reference standard for assessing and prioritizing vulnerability.

3.  According to the solution, the developer performs the specific implementation.

4.  Code review. Reviewers should include security technology manager and project development.

5.  Release firmware.

6.  QA team test the firmware. If there are any problems, go back to step three.

7.  Code merged into trunk branch.

8.  The project manager notify customers that they need to update the software and get customer’s upgrade confirmation.

9.  Publish OTA for Edifier products updating.


Security response plan

If security incident arises, the incident must be treated as the highest priority urgent. CEO and CTO must be aware of this incident and participate in incident handling. If the incident is a software maintenance issue,then it will be handled according to the process of the “Software maintenance update strategy” in this document. A tripartite meeting should be held immediately. The participants are Edifier,OEMS. The meeting needs to collecting information , clarify the situation of the accident,and estimated timelines for remediation of a incident. If there is a special major impact incident, Edifier will discuss the timelines for remediation with customer.

Email Sign Up
Sign up to get Edifier emails and communications for exclusive first looks at promotions, new products and more.