Ruijie attaches great importance to the vulnerability management of products and services. Ruijie supports responsible vulnerability disclosure and handling process and respects the research results of each security researcher. To ensure timely responses to vulnerabilities, Ruijie has dedicated personnel to follow up, analyze, and address each reported security issue.

Vulnerability Reception: Actively monitor and receive potential security vulnerabilities and issues from vulnerability reporters, and maintain contact with these reporters.Ruijie PSIRT will respond to vulnerability reports as soon as possible, usually within five business days.

Vulnerability Verification: Verify whether potential security vulnerabilities and issues affect the security of Ruijie's products, assess the risk, and determine the vulnerability leves. Ruijie PSIRT uses the Common Vulnerability Scoring System version 3.1 (CVSS3.1) to score vulnerabilities. For the specific scoring criteria, log in to the webpage: https://www.first.org/cvss/specification-document

Vulnerability Remediation: Develop a vulnerability risk mitigation and remediation plan, verify the effect of the vulnerability remediation, and provide a product upgrade package or patch.Ruijie PSIRT will work with the product team to perform a preliminary analysis and validation of the report to determine the validity, severity and impact of the vulnerability. We may contact you if we need more information about the reported vulnerability.Remediation typically takes up to 90 days and in some cases may take longer.

CVSS 3.1 Base Score	Temporary plan	Solution
7~10.0	≤7 business days	≤30 business days
4~6.9	≤14 business days	≤60 business days
0.1~3.9	≤30 business days	≤180 business days

Vulnerability Disclosure: Disclose vulnerability information if a workaround plan or patch is available (or a new version is released).

Solution: After disclosure of the vulnerability, Ruijie will monitor the effectiveness of the remediation measures, collect customer feedback and suggestions, and update the patch/upgrade package if necessary. At the same time, Ruijie will continue to improve the product development and vulnerability handling process.

Throughout the vulnerability handling process, Ruijie PSIRT shall strictly control the scope of vulnerability information and shares the information with relevant personnel only. Ruijie sincerely requests you to keep the information confidential until a complete solution is available to the customers.

Ruijie will take necessary and reasonable measures to protect the obtained vulnerability data in compliance with legal regulations.. Ruijie will not voluntarily share or disclose the aforementioned data to third parties unless expressly requested by the affected customer or required by law.