ASUS Product Security Advisory

Vulnerability Disclosure Policy

Responsible reporting guidelines:

ASUS appreciates all contributions from customers and the wider ASUS community that help to improve the security of our products and services. However, we kindly request that you act responsibly and bear in mind the following when investigating or reporting any issues:

1. Do not attempt to access or modify any ASUS services, systems, products or software without authorization.
2. Do not disclose, or modify, destroy or misuse any data you may discover.
3. All information given to or received from any party relating to the reported issues must remain completely confidential.
4. Please do not engage in DoS attacks or any destructive testing that may affect the confidentiality, integrity or availability of information and systems.
5. Refrain from participating in social engineering or phishing activities targeting customers or employees.
6. Requests for compensation regarding the time and resources spent verifying vulnerabilities, or for discovered vulnerabilities, will not be considered.

Excluded Submission Types

We always prioritize security and encourage researchers to submit all potential security issues. Each report will be carefully reviewed. However, the following vulnerabilities (including but not limited to) have a very low impact on the system or user security. ASUS will handle and respond to submissions at its discretion based on the circumstances.

• Outdated software versions that contain known vulnerabilities in libraries (e.g., jQuery), leading to low-impact security risks
• Inadequate rate limiting or the absence of CAPTCHA verification mechanisms
• Missing or incomplete SPF, DMARC, or DKIM records
• Cookies not properly configured with HTTPOnly or Secure flags
• Vulnerabilities that only affect outdated or unpatched browsers, extensions, and other non-ASUS software
• Automated tool reports based solely on tool-generated findings, without further analysis of the vulnerabilities
• Exposure of publicly accessible files or directories (e.g., robots.txt)
• Low-risk issues related to clickjacking or UI elements (e.g., problems that are only exploitable through clickjacking)
• Displaying stack traces on error pages instead of generic error messages
• Disclosure of technology or component information (e.g., PHP,ASP.NET usage)
• Account or email enumeration with no significant impact on the security of ASUS services or products
• Absence of non-mandatory security headers, where the lack does not lead to an exploitable vulnerability
• Insufficient HTTP security settings, where the specific impact (such as data leakage or functionality abuse) cannot be demonstrated
• Low-risk CSRF issues (e.g., login, logout, or minor unauthenticated cross-site request forgery vulnerabilities)

How to report a security vulnerability or issue to ASUS

We welcome all reports related to security incidents concerning ASUS. We invite you to contact us about such matters through our dedicated web form: https://www.asus.com/securityadvisory. By submitting a vulnerability report, you acknowledge and accept ASUS's vulnerability submission policy.

To help us address your concerns quickly, please ensure you provide the following information on the website.

1. Your full name and a means of contacting you. This can be an email address or any other preferred method we can use to get in touch with you.
2. Full and detailed information about the issue you wish to report. This should include the following information, as applicable:
   • The name of the ASUS service(s) or system(s) that your concern relates to.
   • The name, description and version number of any affected ASUS software products.
   • A full and detailed description of the problem or issue, along with any background information that you believe is relevant, and any other pertinent information that may help us reproduce and/or resolve the issue. Finding Vulnerabilities (Problems) Step-by-Step Instructions for Reproducing the Vulnerability Technical Description of the Vulnerability (Including Proof of Concept, if possible) Potential Impact of the Vulnerability Any Other Information That Can Help Us Reproduce and Resolve the Issue
   • Methods for discovering vulnerabilities or issues
   • Detailed steps for reproducing the vulnerability
   • Technical description of the vulnerability (if possible, including proof of concept)
   • Potential impact of the vulnerability
   • Any additional information that could help us reproduce and resolve the issue

We encourage you to use encrypted communication to protect the confidentiality of your information. You can encrypt your report using the PGP public key provided below:

PGP Public Key

Valid until: 2026/12/31
Fingerprint: C8B21E285434E2AEF0EB379596CE3D754D52D350
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGkeyOwBDADkP+eiqJL9CUIyRsNcZpehWe8lFWKSB3EOw2PJtNJIesruVlCy
rIkVGWALJBujjf6BOSTD46zphJHhlsk3SXT1kvYX4t50RseaR2CbpCItmOnynAzt
K5PuRIILh2eTktOXRJw5HdMFFITpdMbia+OdE7UmVT2zzxuAYsgwLoatfVA0TFAL
xmveS3XHnLQI64naz7ya1dF4HNScwpWXc9FGvJm7z31cd+RgalUnWcMSZj+5SE0p
HW/JIwvqXpYVREuTa7rWMJpIxNxehVAJ1B7MYgtOjk8Wje8Ja5cVLnZtN5pSwqbe
Pm1qg5j/RL2uiXLyFHGlkV1kWNfY7+f6QVf4bVbdJ3aFy3hXIlJ0Lg3j93btlOx/
sIeKqgjO5IJvNy5bfBpWgpHhWyskGUmPD61peH85G2xTR6zDdA4w15e0BSOvDFtd
tSdqqcnOVKoTAttfHbMKBFctoWClTqVnY+kZPhhQ1WwRbyBPkXT9Fk8F7dcu5NL5
qGg4E5T7BpYMiE0AEQEAAbQhQVNVU19TZWN1cml0eSA8c2VjdXJpdHlAYXN1cy5j
b20+iQHXBBMBCABBFiEEyLIeKFQ04q7w6zeVls49dU1S01AFAmkeyOwCGwMFCQIX
ClQFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQls49dU1S01CL+gv/TrZ+
PSiaiVcaHe6x5qQ9OSrRt4s7KkF6PkvNWfoWplHajLLrViXJMXW0Tl/CVm9KFqcP
iwWi2zIepXTam+MvwQA2oNsHycOgacIsChFb86RfBNKrl41rT9wk9mutVvzYfawH
jTEVFtFMMS/x7ONcG2cEMPK4YD6Kb7zf7AppeFUaFMfdOr38n7/63WoNUDbscIXj
HlCFrW0If+OH2oks5sGvAm4ndIb/RwmvxCfz0BiEg65oh4MHop+81pNEgZcMG29C
aCcP5d/d/pcfd13XA5rpYRR25tHtFbpUjr/NIMDe8FHlIZfFPhEmUiI1hPR1RheF
o3mD83cEgISYuOw2LBZeTlBzW9rwNx0gnEoNgOfzDEPqorviRc2HioZY1tH3tBlx
5WDDfb+dWymSSGBuhu8R/YifHxA7LhJipVMUDCfQ+n+K1yje5qLnk1gFv5LfQsIL
LnIH9VXpBp+mGRKHwY6iDRdXbq7pTh+pJD0WJMVx6cxNi3HzUz6o9TIphXrZuQGN
BGkeyOwBDACyUJu6Wnk11a6kfKrBYu4W70Nmm3+09FytRN7Iucin/BRlLF75u971
gACeL4ye4SJBNplMx/CBvdWfWrt5ldG5TPyfXEXdKsP6ycKNeFdkOcDpfyu8OXEB
eZlJIcCDAvIb/sk+xIl27CDXD4izFrQ60uH3QPk2h35eDtU4m1MLi6HvQFFRZ2FE
Qwsgsp/aIFFSDxWGRZOScMyRBPbenX5w5zgCMoLC0evtoRZfepWoHgpxPBumudNL
6np6/NzYEBz+lWABoCUFlwCjF0m4qJJMxTjY7bE8arWcKm1BnuCdgc/qHMtiQwdu
+a3gE3+WC5RYEszJj0wqCk8X+/ycdfhHmzf5AOB2l5Y5ZWwmiHDJWj8pJ7gktVrh
nRBLUR+wDf+qRU/jj0CqNq3WKRXAnmuOjN3bYEzssQspQrJCvwc/rhrDS783Gn+z
AuoYGOGIcfPenDA79C13m88SdFsx9UzciEQxFBpmouSKPeajibwEeU4sr8TIgraV
bWBeVpHUvCUAEQEAAYkBvAQYAQgAJhYhBMiyHihUNOKu8Os3lZbOPXVNUtNQBQJp
HsjsAhsMBQkCFwpUAAoJEJbOPXVNUtNQ6a4L/0yeFGKEGSXQ5UH7w6UUe8gJbVCm
C7GK6fgWp4NnDmpvIkwuITU8zR3kUSyu+3PPs6BVm6PEtT+uRhmv+8sOWdqy/qwf
wePA3rJUfVKsvGtQo4gg57tmpZofPGj3c1OwXVyAFvPeJscRl6c4gPHyrDCc9IV4
BiNSf2bE4e9sdYpi34vWJm1I4E5oATrrzjGxMGKwkhuSADvBic5iM1ieCoN/m0Z3
ge+9donO/XeyYDc2q2lS5UXspwHHUewjK7OG5gmCyO+6CSKC7CS9jY7bxLmN9Oo4
8UXu8rSR2iJfrNdHzCNE2IEYO+ziXnumOAXywcNiLUxzlVDDF1Y3h2kajmdiRsY8
CakmAaEXZzX1O9z8FYr0BZ9nmgbhsA1qKNxEtpO/nn+GPBrXYTTLXq6Lab334OCE
DujjylL+a26zIxDQNzfH5xvr9435PH+pAGXBz1I/RXtmb4nedoyhP5iBfN639l91
KZGyjirS6+aP9R0OrCqXwupFIXh0W+yua75W0w==
=YwpG
-----END PGP PUBLIC KEY BLOCK-----
        

What happens next?

Once we have resolved the reported issue(s), we will provide a suitable solution to all affected customers. We will treat this with the utmost priority and make the solution available as soon as it practical to do so.

ASUS will also maintain a list of the latest software updates, along with descriptions of the issues that have been fixed. Although we will notify customers wherever possible, we also recommend that customers visit this page regularly to make sure they are aware of the latest updates.