Product Cybersecurity Vulnerability Management Policy

(A) Introduction

Delta committed to provides robust product cybersecurity issue response process, to ensure swift response to potential vulnerability. We continuously strive to provide reliable guidance and solution (mitigation) to minimize the risk in our product. Therefore, Delta has established Product Cybersecurity Issue Response Team, which will be responsible for addressing product cybersecurity issue and potential vulnerability in Delta’s products.

Delta Product Cybersecurity Issue Response Team (Delta PSIRT) will refer to the regulation and standard that are widely accepted and recognized internationally, to ensure the best process and response are used to address the potential cybersecurity issue. Through this policy, it will ensure that Delta colleagues have a clear and consistent handling of cybersecurity issue, and understand how to respond to event of this nature.

(B) Scope of Application

Product Cybersecurity Management Policy is applicable to all Delta product and all submitted cybersecurity issue report. For non-standard, or customized product, the handling process should comply with the agreement (contract).

(C) How to Report a Cybersecurity Vulnerability

If you have identified a potential cybersecurity vulnerability with our products, please submit product cybersecurity vulnerability reports via the Report Vulnerability site. Your report will be reviewed, and the relevant personnel will contact you (if required). PSIRT will not proceed further if submitted vulnerability information is not complete, inaccurate, repeated, or spurious reports.

When reporting a potential vulnerability, we ask that you include as much of the below information as possible to help us better understand the nature and scope of the reported issue:

● Product Type
● Product Name
● Software / Firmware version
● Vulnerability Description
● Steps to Reproduce
● Common Weakness Enumeration (CWE) ID
● Common Vulnerabilities and Exposures (CVE) ID
● CVSS Score
● CVSS Vector String

(D) Product Cybersecurity Vulnerability Management Process

Delta’s product cybersecurity vulnerability management process involves the five stages, as listed below:

● Acknowledge Receipt of a Report:Delta PSIRT receives an external vulnerability report regarding a Delta product, we usually respond to incoming reports within two business days.
● Triage and Analysis: Delta PSIRT triages and analyzes the potential cybersecurity vulnerability and initial assessments its impact on Delta products.
● Investigation: Delta PSIRT collaborates closely with the product development team to identify the root cause of the vulnerability and further assessments its impact on Delta products.
● Mitigation: Delta PSIRT collaborates closely with the product development team to develop the software/firmware patches or the mitigation measures.
● Disclosure: Delta PSIRT will publish the results of the product cybersecurity vulnerability on the Product Cybersecurity Advisory section of Delta website.

(E) Rate the Severity and Impact of Vulnerabilities

Delta PSIRT and product development team leverages the Common Vulnerability Scoring System (CVSS) to assess the potential risks of a vulnerability issue.

CVSS is a numerical a method used to supply a qualitative measure of severity, and considers several factors, including the level of effort required to exploit a vulnerability as well as the potential impact should the vulnerability be exploited.

After analyzing the vulnerability issue, Delta will summarize the assessed impact of a vulnerability by way of a numeric score, vector string, and qualitative severity ratings (i.e., one of Critical, High, Medium, Low), as per the scale provided below:

Severity CVSS 3.X Score
Critical 9.0 – 10
High 7.0 – 8.9
Medium 4.0 – 6.9
Low 0 – 3.9
(F) Disclaimer

All aspects of this Product Cybersecurity Management Policy are subject to change without notice. We do not guarantee to respond to specific issues or categories of issues. Your use of the information contained in this document or materials linked herein is at your own risk.