Public feedback information: Security researchers should please notify Roberts of any discovered security vulnerabilities in devices.

Please email hello@robertsradio.com using the subject line: “FAO Roberts R&D department”

Software vulnerability monitoring

The following websites monitor known vulnerabilities:

• CVE (http://cve.mitre.org/)
• NVD (https://nvd.nist.gov/)
• CWE (http://cwe.mitre.org/)

Software maintenance update strategy

We monitor potential vulnerabilities in 3rd party components and apply updates when required. Updates may be applied within our products’ companion apps.

If a vulnerability is identified, our response is the following:

1.   Review vulnerability evidence / report etc.

2.   A security review meeting will be held immediately and the risk of the vulnerability assessed along with any fixes.

In particular, participants must include security technology manager, project development manager, firmware architecture
manager, and Technical Director.

CVSSv2 will be used as a reference standard for assessing and prioritizing vulnerability.

3.   According to the solution, the developer performs the specific implementation.

4.   Code review. Reviewers should include security technology manager and project development.

5.   Release firmware.

6.   QA team test the firmware. If there are any problems, go back to step three.

7.   Code merged into trunk branch.

8.   The project manager notifies customers that they need to update the software and get the customer’s upgrade confirmation.

9.   Perform OTA on the corresponding project.

Security response plan

If a security incident arises, the incident must be treated as the highest priority urgent. CEO and CTO must be aware of this incident and participate in incident
handling.

If the incident is a software maintenance issue, then it will be handled according to the process of the “Software Maintenance Update Strategy” in this document. A tripartite meeting should be held immediately. The participants are Roberts and OEMs. The meeting needs to collect information, clarify the situation of the incident, and estimate timelines for remediation of an incident. If there is a special major impact incident, Roberts will discuss the timelines for remediation with the customer.