Our company is committed to establishing and maintaining a comprehensive product cybersecurity policy in accordance with the IEC 62443 series of standards, ensuring that all devices receive continuous security support and vulnerability remediation throughout their entire lifecycle. This policy covers security update management, vulnerability response, and risk notification procedures. It also aligns with regulatory requirements such as the EU Cyber Resilience Act (CRA) and Radio Equipment Directive Delegated Act (RED-DA), as well as international cybersecurity frameworks including NIST, to strengthen cybersecurity governance.

The policy emphasizes transparency and accountability, ensuring that customers are kept informed of product security status in a timely manner, thereby enhancing overall resilience and trust.

This policy applies to all company products and firmware versions, covering update frequency, vulnerability disclosure and response, End-of-Support (EOS) announcements, and third-party software component security management. Whether products are deployed in connected or air-gapped environments, necessary security updates and information support are provided.

To effectively address cybersecurity incidents, the company has established a Product Security Incident Response Team (PSIRT), responsible for incident investigation and response. This ensures that product security incidents are handled promptly and communicated transparently. A comprehensive product security incident management process has also been implemented to identify, assess, and respond to product-related cybersecurity events.

To effectively manage product security incidents, the company has established a Product Security Incident Response Team (PSIRT) with clearly defined roles and responsibilities as follows:：

Product Security Officer (PSO):Responsible for cybersecurity strategy decisions, initiation of incident notifications, and external communications.

R&D Department (RD):Responsible for vulnerability remediation design and software/firmware updates.

Quality Assurance (QA):Responsible for security testing and validation of remediation measures.

Project Manager (PM):Coordinates internal and external resources to ensure smooth communication.

Technical Support (Support):Assists customers and partners with inquiries and manages public announcements.

Routine Security Updates:
Security updates are released on a regular basis every 6 to 12 months. These updates include vulnerability remediation, security enhancements, and compatibility improvements to ensure long-term protection.

Emergency Patch Mechanism:
When a high-severity vulnerability (CVSS ≥ 7.0) is identified, a rapid response procedure will be initiated. The target is to provide a deployable patch within 30 days.

Update Access Methods:

• Official website download center
• Self-service platform (supports version applicability checks and access to technical documentation)
• Technical support services (including manual update assistance for customers operating in air-gapped environments)

*Note: T refers to the time of incident confirmation. If the incident involves third-party components, T = 0 is defined as the time of the upstream supplier’s public announcement.
*In special circumstances (e.g., technical constraints or external component dependencies), the case will be documented and communicated in accordance with the risk assessment process to ensure transparency.

All reported information will undergo an initial assessment within 10 working days to determine:
1.Whether the issue applies to products supported by the company
2.Whether the issue can be reproduced and verified
3.Whether the issue constitutes a cybersecurity risk and is exploitable
If the information provided is insufficient, a request for additional details will be issued. Cases will be documented and closed under the following circumstances:

• The issue has already been resolved or is a duplicate report
• The issue affects only unsupported versions
• The issue is not cybersecurity-related or presents no practical exploitation risk

We recognize that cybersecurity is not a one-time effort, but an ongoing responsibility that requires continuous collaboration with our customers. Therefore, we solemnly commit to the following:

• All security updates will include clear version records and full traceability. Public announcements and release notes will be made available for customer reference.
• All cybersecurity advisories and End-of-Support (EOS) notifications will be published transparently on our official website to assist customers in proactively planning upgrade and replacement strategies.
• For products in operation, if any potential vulnerabilities or risks are identified, we will conduct evaluation and remediation within a reasonable timeframe in accordance with standard procedures, and provide necessary mitigation recommendations and corrective measures.
• Throughout the product support lifecycle, we guarantee the continuous provision of security updates, vulnerability remediation, and technical consultation services to ensure ongoing compliance and protection.