psirt_image

Dahua PSIRT

technologies_image

Security Technologies

The Dahua Product Security Incident Response Team (Dahua PSIRT) is responsible for receiving, handling and publicly disclosing the security vulnerabilities related to Dahua products and solutions. It is the only outlet where the company can disclose the vulnerability information of products and solutions. As a member of the international CVE Numbering Authority (CNAs), Dahua PSIRT implements a complete vulnerability management process in compliance with ISO/IEC 30111, ISO/IEC 29147 and follow industry best practices to fix discovered vulnerabilities in a timely manner.

Security Advisories

Security Notices

Report a vulnerability

We encourage users, partners, suppliers, security organizations and independent researchers to actively report to Dahua PSIRT by email any security risks or vulnerabilities related to Dahua products and solutions. Due to the sesitivity of vulnerability information, we recommended to use our PGP public key (Key ID: 0xC6068E4B; PGP Fingerprint: 61769A82F67E062CA46C19A6DEA2F8C6068E4B) and report it to psirt@dahuatech.com. Within two working days after receiving the report, Dahua PSIRT will confirm receipt of the vulnerability report and begin evaluating the issue. Within seven working days after receiving the report, Dahua PSIRT will address the issue and provide a conclusion. For some complicated issues, Dahua will promptly inform the progress of problem handling based on the situation and communicate with the reporter. In order to facilitate timely verification and location of vulnerabilities, the content of the email should include the following:

1. Description of potential security risks/vulnerabilities
2. Technical details (e.g. system configuration, positioning method, description/screenshot of exploit, sample captured images, POC, steps to reproduce problems, etc.)
3. Report the product name, model and software/firmware version where the security risks/vulnerabilities are located.
4. Possible vulnerability disclosure plan

secure_trustworthy
secure_trustworthy

How we deal with vulnerabilities

Dahua PSIRT will strictly control the scope of vulnerability information and limit it to the relevant personnel who only deal with vulnerabilities; At the same time, the vulnerability reporter is also required to keep this vulnerability confidential until it is publicly disclosed.

Dahua PSIRT discloses security vulnerabilities in the following two forms:

1. SA (Security Advisory): for the release of information about security vulnerabilities related to Dahua products and solutions, including but not limited to vulnerability descriptions, fixes, etc.
2. SN (Security Notice): for the responses to security topics related to Dahua products and solutions, including but not limited to vulnerabilities and security incidents.

Dahua PSIRT adopts CVSSv3 standards, and gives a Base Score and a Temporal Score for each security vulnerability assessment. Customers can also make their own Environmental Score according to their needs.
For specific CVSSv3 standards, visit this link: https://www.first.org/cvss/specification-document

Our responses to vulnerabilities

Receive

Receive

Receive and collect suspected security vulnerabilities of products

Verify

Verify

Coordinate with relevant teams to conduct vulnerability verification and risk rating

Repair

Repair

Analyze the cause of vulnerability and implement the vulnerability repair

Disclose

Disclose

Actively disclose vulnerability information and release fixed firmware

Improve

Improve

Improve vulnerability scanning capability and transform to product security requirements