HOME News Security Vulnerability Disclosure and Remediation Policy
28
2025 May.
Security

Vulnerability Disclosure and Remediation Policy


    Vulnerability Disclosure and Remediation Policy

    1. Introduction

    a. Company Overview

    Browan Communications Inc., established in 2002 and headquartered in Hsinchu, Taiwan, is a member of the Gemtek Group. The company specializes in transforming wireless technologies into value-driven Internet of Things (IoT) solutions. Browan integrates technologies such as Wi-Fi, BLE, LTE, UWB, and LoRa to deliver innovative and scalable IoT products and services. We aim to provide end-to-end solutions, including IoT hardware, system integration, platform development, and long-term support for sustainable IoT ecosystems.

    b. Purpose of the Vulnerability Disclosure and Remediation Policy

    This Vulnerability Disclosure and Remediation Policy (VDRP) outlines our commitment to security and the responsible handling of potential vulnerabilities in our products and services. The purpose of this policy is to provide a clear, transparent, and cooperative process for external parties—including customers, partners, and independent security researchers—to report vulnerabilities. Our goal is to minimize risks to users, comply with relevant regulations such as the EU Radio Equipment Directive (RED) Delegated Act, and continuously improve the overall security and resilience of our products.

     

    2. Contact Information

    a. Vulnerability Reporting Contact Details

     

    • Email: ​sales@browan.com
    • Phone: ​+886-3-6006899
    • Address: ​No.15-1 Zhonghua Road, Hsinchu Industrial Park, Hukou, Hsinchu, Taiwan, 30352

     

    These contact details can also be found on the official Browan website at the Contact Us page.

    b. Initial Acknowledgment Procedure

    To ensure transparency and responsiveness, Browan intends to establish and publicly document the following details:

     

    • Acknowledgment Timeline: 
      • We aim to acknowledge receipt of all vulnerability submissions within 15 business days.
    • Response Details: 
      • The initial acknowledgment will typically include a tracking or reference number (ticket ID) and the contact information of the personnel responsible for handling the report. 

     

     

    3. Vulnerability Handling Process

    a. Vulnerability Response and Status Update Process

    Browan Communications Inc. is committed to a structured and transparent process for handling reported security vulnerabilities. Vulnerability reports are reviewed and processed by our internal security response team, which is responsible for evaluating, triaging, and addressing potential security issues. Throughout the process, Browan aims to maintain communication with the reporter by providing periodic status updates at key stages, including:

     

    • Customer Service & Product Teams
      • Receive issue reports from customers or internal sources.
    • Initial Screening
      • Filter and validate the issue before escalating.
    • Escalation to R&D Team
      • R&D analyzes the issue, determines the bug severity level, and estimates fix duration.
    • Customer Communication & Internal Announcement
      • Respond to the customer and internally announce resolution status if needed.
    • Issue Closure
      • Final confirmation and close the ticket.

     

    We encourage open and cooperative dialogue to ensure that vulnerabilities are clearly understood and addressed effectively.

    b. Remediation Timeline

    Browan prioritizes remediation based on the severity of the reported vulnerability. Our preliminary target timeframes for resolution are as follows:

     

    • High severity vulnerabilities: Remediated within 30 calendar days.
    • Medium severity vulnerabilities: Remediated within 60 calendar days.
    • Low severity vulnerabilities: Remediated within 90 calendar days

     

    c. Notification Timeline After Resolution

    Once a vulnerability has been successfully resolved, Browan will notify the original reporter within 10 business days.

     

    • Notification Method: The preferred method of communication is via the email address used in the original submission.
    • The notification will include a summary of the resolution, including the mitigation approach and, where applicable, the firmware or software version in which the issue was fixed.

     

     

    4. Additional Considerations

    a. Definition of a Vulnerability vs. Non-Vulnerability

    For the purpose of this policy, a security vulnerability is defined as a flaw or weakness in a system, product, or service that could be exploited to compromise the confidentiality, integrity, or availability of Browan’s infrastructure, products, or users. Examples of valid vulnerabilities include, but are not limited to:

     

    • Authentication bypass
    • Privilege escalation

     

    Examples of issues generally NOT considered vulnerabilities include:

     

    • Reports based on outdated browsers or unsupported platforms
    • Disclosure of non-sensitive information

     

    b. Security Research Guidelines

     

    • Promptly inform us upon discovering any real or potential security issues.
    • Exert every effort to prevent privacy violations, user experience degradation, disruption to production systems, and data destruction or manipulation.
    • Utilize exploits only to confirm the presence of vulnerabilities, avoiding any attempt to compromise, exfiltrate data, establish persistent command line access, or pivot to other systems.
    • Allow us a reasonable timeframe to address and resolve the identified issues before making any public disclosures.
    • Abide by all applicable laws and regulations during the security testing process.
    • Upon confirming a vulnerability or encountering sensitive data, cease testing immediately, notify us without delay, and refrain from disclosing this information to any third party.

     

    Note: Browan currently does not offer financial rewards for disclosed vulnerabilities.

     

    5. Policy Documentation

    a. Downloadable Policy:

    The finalized version of this policy is available on the Contact Us or Support page for accessibility and regulatory compliance.

    b. Regulatory and Standards Compliance

    This policy is designed in accordance with the following standards and regulatory frameworks:

     

    • EU Radio Equipment Directive (RED) Delegated Act
    • ISO/IEC 29147: Vulnerability Disclosure
    • Other applicable global or regional cybersecurity regulations

     

     

    6. Feedback and Questions

    We welcome any feedback or suggestions regarding this policy. Please reach out to us at sales@browan.com.

     

    7. Revisions and Updates

    a. Policy Maintenance

    The Vulnerability Disclosure and Remediation Policy is reviewed and maintained by the Browan Support team. We aim to review this policy on a quarterly basis or whenever a significant change occurs in our vulnerability handling practices or applicable regulations.

    Browan Communications Inc. reserves the right to modify or change the contents or definitions of this policy at any time without prior notice.

    b. Post-Update Communication

    Following any updates to this policy, the latest version will be:

     

    • Published on our website (if applicable)
    • Communicated to relevant internal teams
    • Dated with a "Last Updated" timestamp for version control

     

     

    Version 20250528