1. Introduction

ELAN is dedicated to ensuring the safety and security of our products. We collaborate with our OEM partners to resolve it and subsequently releasing updates in case a vulnerability is found. Below outlines the procedure for submitting reports to ELAN concerning potential security vulnerabilities in our products and our protocols for notifying customers and other affected entities about validated vulnerabilities.

2. Reporting Potential Vulnerabilities to ELAN

If you have identified a potential security vulnerability in any of our products, contact the ELAN Product Security Incident Response Team (PSIRT) via email at PSIRT@emc.com.tw. Your report will be reviewed, and relevant member will reach out to you if needed. We aim to analyze the vulnerability within 5 business days and provide a preliminary response within 10 business days.

All information submitted to Elan shall strictly comply with the related data protection regulations. Please ensure that your report does not contain any data violating the privacy of any users. ELAN disclaims any liability for such personal data submitted without our request or consent.

PSIRT@emc.com.tw is exclusively designated for reports related to potential security vulnerabilities in ELAN’ products. Commercial solicitations or technical support requests will not be accepted at this address.

3. Security Advisories

Any security advisories related to our products will be posted on our website, www.emc.com.tw, in the Related Assets table of the relevant product page under the Products heading (e.g. https://www.emc.com.tw/emc/en/Product/Solution/TouchpadSolutions).

We typically issue advisories when a workaround or fix has been coordinated with our OEM customers for a specific vulnerability. In cases where a third party, such as a security researcher, informs us of a potential vulnerability, we may investigate further and choose to publish a coordinated disclosure with such third party. If a report is received under a confidentiality agreement, we will still collaborate with our OEMs to release a security fix but may provide limited information about the vulnerability.

ELAN aims to address vulnerabilities within 90 days after they are reported. Additional time may be requested, particularly in cases impacting multiple OEMs or third parties requiring a coordinated response.

4. Severity & Impact

ELAN adheres to industry-standard practices for measuring and reporting the potential impact of vulnerabilities, following the current version of the Common Vulnerability Scoring System (CVSS).

Our advisories typically list known ELAN products affected by the vulnerability, along with the appropriate path for obtaining a fix or workaround. While we strive to list all affected versions, variations in product versions shipped by OEM partners may result in ELAN being unaware of the complete list. Please reach out to PSIRT@emc.com.tw if needed.

5. Acknowledgement

ELAN will publicly acknowledge the researcher or finder of the vulnerability and express gratitude for their efforts in enhancing our product When applicable, and with the permission.

Top