Hithium is committed to establishing a robust product cybersecurity vulnerability response system in accordance with international standards such as IEC 62443.This systematic process provides our customers with reliable assurance and works to minimize cybersecurity risks effectively.To efficiently address product cybersecurity vulnerabilities, Hithium has established a dedicated Product Security Incident Response Team (PSIRT). This team is responsible for responding to product security incidents and managing both known and potential vulnerabilities. Through transparent vulnerability disclosure procedures, the PSIRT promotes efficient and trusted industrial cybersecurity practices.
Hithium's Product Cybersecurity Vulnerability Management Program
Hithium's vulnerability management program is aligned with the IEC 62443-4-1 standard and follows the process outlined below:
n Receive and Acknowledge Cybersecurity Information: Upon receiving externally submitted cybersecurity information, the PSIRT will contact the submitter within two business days to confirm the issue.
n Incident Assessment and Impact Analysis: The PSIRT will categorize the submitted cybersecurity information, assess the incident, and conduct an impact analysis to preliminarily determine whether emergency response should be initiated.
n Vulnerability Analysis and Research: The PSIRT will work with the product development team to evaluate the root cause and likelihood of the vulnerability, assess its severity, define its risk level, and explore solutions to mitigate risks or remediate the vulnerability. During this stage, the PSIRT will maintain active communication with the reporter.
n Vulnerability Handling: The PSIRT will collaborate with the product development team to develop software/firmware patches or determine appropriate risk mitigation measures. At the same time, the PSIRT will continue to monitor related information to ensure accurate evaluation of the vulnerability’s severity. If the vulnerability is high-risk and patch development requires significant time, emergency mitigation measures will be provided to customers prior to the completion of the final remediation.
n Vulnerability Disclosure: Once the vulnerability has been remediated, the PSIRT will publish the resolution results on Hithium’s official website under the “Cybersecurity Notice” section. The notice will include: a description of the vulnerability, potentially affected products and versions, mitigation measures, and the remediation plan.
The Hithium PSIRT team, in collaboration with the R&D team, analyzes and assesses vulnerabilities based on the Common Vulnerability Scoring System (CVSS) and other criteria defined in our Cybersecurity Vulnerability Management Program, such as likelihood and impact. Based on this assessment, a risk score is assigned, and a remediation timeframe is established according to the vulnerability's risk level. Throughout the remediation process, the PSIRT maintains communication with the vulnerability reporter as needed to support analysis, discuss solutions, and gather feedback.
For the latest information on product cybersecurity, please visit the“Cybersecurity Notice”page. Given the specific characteristics and critical safety requirements of energy storage products, software/firmware updates must not be performed by users independently. To obtain and install vulnerability patches and updates, please contact our After-Sales Service Engineers for assistance.
Reporting Product Cybersecurity Vulnerability
If you have discovered a potential cybersecurity vulnerability in a Hithium product, please report it to us immediately via encrypted email at the address below.
Providing the following information will help us facilitate a prompt and effective response.
1.Product model and software/firmware version
2.Vulnerability reproduction environment and steps (with logs or screenshots)
3.Proof-of-concept code (if applicable)
4.Description of the vulnerability exploitation scenario
5.Network packet capture data (e.g., Wireshark records)
6.Other relevant technical details
Hithium Cybersecurity Contact Email:IACS-CyberSecurity@Hithium.com
Disclaimer
Hithium reserves the right to modify this vulnerability management policy at any time. The most current version will always be made available on our official website (http://www.hithium.com). Hithium does not guarantee a response to every vulnerability report.By utilizing this document or any related links, you acknowledge that you shall assume all associated risks.
