EN+ CSRC makes the following commitments:
We support and adhere to internationally recognized cybersecurity standards and best practices;
We support research efforts to increase network defense capabilities;
We continue to improve and use open and transparent methods so that users can assess EN+ cybersecurity capabilities.
Cybersecurity Vulnerability Management
EN+ supports the responsible vulnerability disclosure and handling process, and respects the research results of every security researcher.
If you have found the vulnerabilities ,you can send an email to support@en-plus.com.cn. We will follow up and feedback the security vulnerabilities you have reported as soon as possible. In order to protect the security of users and enterprises, we hope that you will not disclose or spread the vulnerability before it is repaired.
Processing flow:
1. The network security problems found in the operation of the product will be directly fed back to SPOC via email support@en-plus.com.cn;
2. SPOC should organize the R&D team to analyze the problem immediately after receiving the problem, and provide the problem analysis report and solution plan within 72 hours;
3. Before the completion of the network security incident close, SPOC will notify the relevant responsible persons of the work progress every week, and the responsible persons of all relevant persons will review the “Event Review Report” to mark the completion of the handling of the incident.
4. After the Software Testing Department tests the new software without any problems, a test report needs to be issued, and the R&D decides whether to upgrade according to the test report. If an upgrade is required, the R&D team will provide a version upgrade plan proposal to the Customer Service. After approval by the Customer Service, the two teams will jointly complete the software upgrade of the running terminal and the hardware in production;
5. After the upgrade event is completed, the R&D team will lead a complete review of the event and output the “Event Review Report” (including the retrospective of the cause of the problem, the treatment plan and the follow-up improvement measures);
6. Before the completion of the network security incident close, R&D will notify the relevant responsible persons of the work progress every day, and the responsible persons of all relevant persons will review the “Event Review Report” to mark the completion of the handling of the incident;
7.7 days for initial response are defined according to the published vulnerability disclosure policy. Usually, 90 days after receiving the vulnerability a fix will be released or a warning is published. The warning will be withdrawn since a fix is released.
Response Processing Time
Service Level | Level Name | Level Definition | SLA | Emergency response time | System recoverty time |
| L0 | Core services | In case of any exception, it will affect all main business | 20 minutes | 7days | 30days |
| L1 | key services | Once exceptions occur, it will affect some branch business | 20 minutes | 10days | 30days |
| L2 | General services | Once the exception occurs, the main business process will not be affected. | 20 minutes | 15days | 60days |
| L3 | Peripheral services | Once the exception occurs, it is imperceptible to users. | 20 minutes | 30days | 90days |
