IEI Product Vulnerability Disclosure Policy
To ensure the security and stability of IEI products and services, this official announcement outlines the criteria for evaluating newly discovered vulnerabilities (including those related to BMC or other firmware), the handling processes, and the principles of disclosure. Based on factors such as vulnerability severity, customer impact, and the feasibility of providing a fix, IEI will, where appropriate, issue security bulletins and deliver fixes or workarounds in a timely manner to safeguard customer interests. The details are as follows:
How We Classify and Prioritize Security Vulnerabilities?
We follow the Common Vulnerability Scoring System (CVSS) to assess reported vulnerabilities in our products and services. Vulnerabilities are prioritized based on their CVSS risk level: Critical, High, Medium, or Low. We recommend that customers also use CVSS scores to assess and address vulnerabilities in their environments.
CVSS Score (primarily CVSS v3.x)
- Low (0.0–3.9)
- Medium (4.0–6.9)
- High (7.0–8.9)
- Critical (9.0–10.0)
Scope of Impact
- Number of affected customers and products.
- Whether core systems or functions are affected (e.g., a BMC vulnerability allowing remote attacks).
Exploitability
- Difficulty level for attackers or malware to exploit the vulnerability.
- Availability of a Proof of Concept (PoC) or publicly accessible attack tool.
Fix Complexity & Workarounds
- Availability of a direct patch, mitigation, or workaround.
- Dependency on third-party components or specific customer configuration.
Handling Process: Which Vulnerabilities Must Be Fixed, Reported, or Disclosed
All vulnerabilities that have a potential impact on the security, stability, or functionality of IEI products and services must be evaluated based on the following criteria:
| CVSS Score | Priority | Action | Disclosure | Patch Timeline |
|---|---|---|---|---|
| 9.0–10.0 (Critical) | Highest Priority | Immediate resource allocation for patch or workaround | Security bulletin issued as soon as possible | Typically within 30–90 days; urgent cases may have expedited patches |
| 7.0–8.9 (High) | Must Be Addressed | Scheduled for patching with priority below Critical | Disclosed via security bulletin or customer alert once a patch/workaround is available | Generally within 90 days; may vary for specialized models |
| 4.0–6.9 (Medium) | Case-by-Case Evaluation | Fix may be accelerated if impact is substantial or active exploits exist; otherwise, included in the next scheduled firmware update | If only certain models or custom products are affected, IEI may notify those customers first | If widely affecting many products, it may be disclosed through periodic or cumulative security bulletins; for narrower impacts, disclosure may be limited to affected customers |
| 0.0–3.9 (Low) | May Be Deferred | Included in the next planned update; may provide workaround instead of full patch | Depending on risk evaluation, IEI may not issue a standalone bulletin | Reference the fix in future release notes or cumulative updates |
Disclosure Timing: Before or After the Fix
The timing of vulnerability disclosure is critical to minimizing potential risks for customers. IEI follows a risk-based approach, disclosing vulnerabilities once a fix or effective mitigation is available. Depending on the severity and whether the vulnerability is widely known or actively exploited, early advisories may be issued with interim recommendations to protect users.
| Vulnerability Severity | Disclosure Timing | Exceptions / Additional Notes |
|---|---|---|
| Critical / High | Prefer disclosure after a patch or effective mitigation is available. | If widely known or actively exploited, an early advisory may be issued with interim recommendations or an estimated patch timeline. |
| Medium / Low | Generally disclosed | Often Included in “Cumulative” or “Bundled” Security Advisories: Grouped with other fixes. |
Approximate Patch Timelines
IEI’s patch timelines are determined by the severity of the vulnerabilities and the complexity of the product. High-risk vulnerabilities are addressed promptly, while medium and low-risk issues are typically managed within the product development cycle. This approach ensures timely remediation while balancing development resources and security needs.
| Vulnerability Severity | Approximate Patch Timeline |
|---|---|
| Critical / High | Usually 30–90 days for a patch or mitigation |
| Medium | Approximately 1–2 quarters (3–6 months), or included in the next major release |
| Low | Depending on the product lifecycle, may be deferred or incorporated into routine maintenance updates |
Vulnerability Remediation Policy and Special Cases
End-of-Life (EOL) / End-of-Support (EOS) Products:
If a product is no longer supported, IEI provides best-effort mitigation strategies or advisories.
Low-Risk / High-Cost Repairs:
In cases where vulnerability fixes are complex and the risk is minimal, IEI may first propose temporary measures or advisories, postponing the permanent fix.
Customer-Specific Requirements:
In OEM/ODM scenarios, if the customer chooses not to implement a fix, IEI will provide a risk disclosure and respect their decision.
Conclusion
IEI’s vulnerability handling and disclosure approach follows the principle of “prioritizing high-risk issues, maintaining transparency, and protecting customers’ security:
High-risk vulnerabilities (CVSS 7.0 and above) are addressed on an expedited schedule with public advisories.
Medium and low-risk vulnerabilities are generally disclosed and patched during regular or cumulative updates, depending on actual impact.
Disclosure Timing is primarily determined by the goal of minimizing additional customer risk—detailed information is typically published once an appropriate solution is ready.
If you discover any security vulnerability in IEI products, please contact IEI through official security channels or technical support. Responsible reporting and close collaboration with the vendor help ensure that identified vulnerabilities are properly addressed and disclosed, thus maintaining a secure ecosystem.
