GREE's Vulnerability Disclosure Announcement
Regarding GREE's Security Updates
In order to protect our customers, GREE will not disclose security issues until investigations are completed
and comprehensive patches or release versions are ready. This announcement outlines information about
recently patched vulnerabilities, along with their impact scope and the corresponding remedies.
If you believe you have identified security or privacy vulnerabilities in GREE products, please directly
send security issues to:
[email protected]
For the vulnerabilities you submit, the corporate reviewer will try to complete the confirmation within 3
business days. Security updates for "critical security issues" will be released within 7 business days,
while security updates for software-related "high-risk security issues" and "medium-risk security issues"
will be released within 30 business days. Security updates for security vulnerabilities concerning firmware
and hardware of smart products will be released within 180 business days. Please refer to the GREESRC
Vulnerability Remediation Process and Grade Rating Criteria for vulnerability grading criteria.
Obtain the latest software update from GREE:
Download the link for the latest app version:
http://global.ewpeinfo.com/GreePlusInternational/
Please update your application promptly, as this is one of the most crucial steps in
maintaining the security of GREE products.
Vulnerability Grade Rating Criteria
The vulnerability grading criteria are based on CVSS v3 (Common Vulnerability Scoring System), and
vulnerabilities are categorized into five grades, namely [Critical], [High-risk], [Medium-risk], [Low-risk],
and [No Impact], according to the impact of vulnerabilities on system confidentiality (C), integrity (I),
and availability (A).
Critical
1. Vulnerabilities that can directly access core system privileges (server/client
permissions), including but not limited to uploading Web Shells, arbitrary code execution, remote command
execution, SQL injection to access core system privileges, etc.;
2. Critical information leakage vulnerabilities in the core system, including but not limited to SQL
injection in core DB, extensive sensitive user identity information leakage (at least 3 sensitive fields:
name/ID card, bank card information, phone number/email, passwords, address), internal core data leakage of
enterprises, etc.;
3. Critical defects in the logical design or process of the core system, including but not
limited to payment vulnerabilities allowing bulk modification of any account passwords, arbitrary account
fund consumption, arbitrary amount modification, etc.;
4. Vulnerabilities critically impacting the availability of the core system,
such as vulnerabilities of denial of service that can directly cause paralysis of core system business;
High-risk
1. Vulnerabilities that can directly access important business system privileges
(server/client permissions), including but not limited to arbitrary command execution, uploading Web Shells,
arbitrary code execution, SQL injection to access core system privileges, etc.;
2. Vulnerabilities directly leading to the leakage of important information, including but
not limited to SQL injection vulnerabilities in important DBs; leakage of extensive important business
source codes; and SSRF vulnerabilities that enable access to internal networks and access sensitive
information.
3. Critical unauthorized access, including but not limited to bypassing
authentication to access important system backends; and operations such as unauthorized access,
modification, and deletion of sensitive user information.
Medium-risk
1. Vulnerabilities requiring interaction to access user identity information, including but
not limited to stored XSS vulnerabilities in core and important systems; and CSRF for sensitive operations
(payment, account information, etc.);
2. Arbitrary file operation vulnerabilities, including but not limited to arbitrary file
reading, writing, deletion, uploading, downloading, etc.;
3. Ordinary unauthorized access, including but not limited to bypassing restrictions to
modify user profiles, perform user operations, read user information; and bypassing restrictions to access
non-core business system backends;
4. Moderately critical information leakage vulnerabilities, including but not limited to SQL injection and
unauthorized access not involving important data; limited-range sensitive file leakage (e.g., DB connection
passwords) and weak passwords for accounts (e.g., regular users, test users).
Low-risk
1. Reflective XSS; and non-critical system stored XSS;
2. Limited-harm unauthorized operations (e.g., unauthorized emptying/adding to cart);
3. Minor information leakage, including but not limited to Phpinfo; non-core system SVN
information leakage; non-important information leakage (e.g., unusable DB connection passwords); and local
SQL injection in client applications;
4. Vulnerabilities that are difficult to exploit but pose security risks, including but
not limited to difficult-to-exploit SQL injection points; local denial of service in clients; and
vulnerabilities under specific conditions or environments (e.g., SMS, email bomb, URL redirection);
5. Vulnerabilities that pose security risks but require extremely stringent
conditions for exploitation, including but not limited to vulnerabilities only triggered on a specific
version of a browser, and vulnerabilities requiring special configurations to trigger.
No Impact
1. Vulnerabilities not related to security issues, including but not limited to defects in
website product functionality, garbled pages, mixed styles, URL skip at login, etc.
2. Vulnerabilities that cannot be exploited, replicated, or result in actual harm.
3. Other issues that have no impact on GREE's business.
Other issues not categorized within specific types will be comprehensively evaluated based
on their actual harm and CVSS.
Vulnerability Remediation Process
GREESRC Vulnerability Remediation Process is as follows:
1.[Vulnerability Submitting]
The white hat logs in to the Butian account and submits vulnerability
reports. Once a vulnerability is submitted, it cannot be edited or modified. Please ensure the accuracy of
the vulnerability information before submitting it. After successful submission, the vulnerability status
will be displayed as [Under Review].
2. [Vulnerability Review]
The corporate reviewer will conduct a preliminary review of the vulnerabilities within 3 business days (the
review speed may slow down during statutory holidays or in the event of a vulnerability outbreak).
Vulnerabilities that do not pass the preliminary review will be ignored or requested to provide additional
information. White hats can supplement the information or engage in discussions below the vulnerability. If
there are repeated vulnerabilities within the same time period, only the first complete report will be
considered. For repeated vulnerabilities in different time periods, the first submission will be considered.
Vulnerabilities that pass this stage will be displayed as [Pending Confirmation] in the status.
3.[Vulnerabilities Confirmation]
The corporate reviewer will confirm the vulnerabilities within 7 business days (extended during statutory
holidays), and white hats will receive corresponding rewards once the vulnerabilities are confirmed. If
there are any disputes regarding the confirmation level, a vulnerability appeal can be initiated within a
validity period of 3 days, and the Butian platform will intervene and negotiate the resolution. During this
stage, the status of the vulnerabilities will be displayed as [Pending Remediation].
4.[Vulnerability Remediation]
Vulnerability Remediation Platform: https://www.butian.net/Company/1100
Remediation Process:
((1) The asset owner receives a vulnerability notification email and simply needs to click on the
vulnerability link in the email to be redirected to the vulnerability detail page for review. If not
registered, after registering an account, the asset owner can review the number of vulnerabilities and
detailed reports corresponding to the vulnerability status in the [My Vulnerability Management] menu.
(2) After reviewing the vulnerability report, the asset owner needs to click on the [Please Confirm
Acknowledgment of the Vulnerability] button at the top or bottom of the vulnerability report page. Upon
clicking, the vulnerability status will change from "New Notification" to "In Remediation". If the "Please
Confirm Acknowledgment of the Vulnerability" button is not clicked, the vulnerability status will remain as
"New Notification". The platform will send new vulnerability reminder emails to the relevant personnel every
business day at 9:30 a.m.
(3) After remediating the vulnerability, the asset owner can open the [In Remediation] vulnerability report
in [My Vulnerability Management] and then click on the [Apply for Retesting] button to access the
application for the retesting page. After filling in the remediation method, the asset owner can submit the
retesting application. The platform will automatically send a vulnerability retesting request email to the
security personnel, and the vulnerability status will change to [Retesting in Progress]. If the asset owner
is aware of the vulnerability but decides not to remediate it, they need to submit the "Vulnerability Risk
Acceptance" process on the review platform. After the information security officer agrees to not remediate
the vulnerability, the vulnerability remediation process is concluded.
(4) After receiving the retesting notification email, the security personnel retest the vulnerability. Once
the retesting is completed, they can click on the [Submit Retesting Results] button on the platform to
access the retesting result submission page. After the security personnel have completed the retesting, the
platform will automatically send an email to inform the asset owner whether the vulnerability remediation
has been verified. If it is verified, the vulnerability status will change to [Completed]. If it is not
verified, the vulnerability status will change to [In Remediation]. The asset owner can continue with the
remediation process and apply for retesting again.
5. [Vulnerability Closed]
The enterprises confirm vulnerability remediation completion and close the vulnerability.
Vulnerability remediation process is complete.
DECLARATIONS:
To submit a GREESRC vulnerability, white hats must accept the Butian User Service Agreement and observe the
White Hat Code of Conduct. Without the manufacturer's permission, it is strictly prohibited to publicly
disclose any vulnerabilities submitted to GREESRC (including ignored vulnerabilities). Violators will have
their awarded rewards deducted and shall be subject to legal consequences depending on the severity of the
situation.