Cybersecurity Institute's 'Vulnerability Hunting' Helps Manufacturers Identify Potential Risks, Enhancing MIT Competitiveness

Central News Agency (Reporter Chao Min-ya, Taipei, April 27) Under the guidance of the Ministry of Digital Affairs' Cybersecurity Administration, the Cybersecurity Institute (CSRC) organized its first product cybersecurity vulnerability hunting event. A total of 11 major domestic information and communication technology (ICT) manufacturers gathered, testing 20 sets of products. The CSRC announced today that 20 valid vulnerabilities were ultimately confirmed, including 3 critical and 6 high-risk vulnerabilities. The CSRC held a press conference to report on the achievements of its first vulnerability hunting activity. Tsai Fu-lung, Director-General of the Cybersecurity Administration, pointed out that with the successive implementation of international regulations such as the EU Cyber Resilience Act, strengthening Taiwan's product security and establishing supply chain trust has become crucial. The first vulnerability hunting event by the CSRC yielded fruitful results, and a second edition will be organized to encourage companies to pay more attention to product cybersecurity, and to provide government agencies and enterprises with a very secure environment when adopting cybersecurity products. The CSRC explained that the event brought together 11 leading domestic ICT manufacturers and 179 local cybersecurity researchers, who tested 20 sets of products including network communication equipment, network storage equipment, and industrial network communication devices. A total of 20 valid vulnerabilities were confirmed, including 3 critical-level and 6 high-risk vulnerabilities. The CSRC noted that among the valid vulnerabilities found in this event, some components could lead to arbitrary file access due to weak passwords, while others posed command injection risks due to inadequate parameter input format checking. The CSRC stated that among the 179 researchers, 25 successfully submitted vulnerability reports. Through testing from the perspective of actual attackers, manufacturers were able to grasp potential problems before product launch, addressing risks that might otherwise have been exposed after launch. Currently, some manufacturers have cooperated to apply for 6 Common Vulnerabilities and Exposures (CVE) numbers, and the CSRC will continue to track follow-up situations. The CSRC indicated that all participating blue team manufacturers expressed high willingness to participate in subsequent activities, and red team researchers also affirmed the overall operation of this event, suggesting that clearer disclosure of test targets and evaluation standards in the future would further enhance the effectiveness of vulnerability discovery. The CSRC stated that it plans to hold the second vulnerability hunting event in September, focusing on software supply chain security verification. It will prioritize verifying commonly used software by government agencies, selecting those with higher utilization rates or involving high-risk scenarios. Through public-private cooperation, this aims to strengthen the competitiveness of MIT products, transforming 'Made in Taiwan' into 'Make It Trusted.' (Editor: Wan Shu-chang) 1150427