Obtain the latest software update from GREE:

Download the link for the latest app version: http://global.ewpeinfo.com/GreePlusInternational/

Please update your application promptly, as this is one of the most crucial steps in maintaining the security of GREE products.

1. Vulnerabilities that can directly access core system privileges (server/client permissions), including but not limited to uploading Web Shells, arbitrary code execution, remote command execution, SQL injection to access core system privileges, etc.;

2. Critical information leakage vulnerabilities in the core system, including but not limited to SQL injection in core DB, extensive sensitive user identity information leakage (at least 3 sensitive fields: name/ID card, bank card information, phone number/email, passwords, address), internal core data leakage of enterprises, etc.;

3. Critical defects in the logical design or process of the core system, including but not limited to payment vulnerabilities allowing bulk modification of any account passwords, arbitrary account fund consumption, arbitrary amount modification, etc.;

1. Vulnerabilities that can directly access important business system privileges (server/client permissions), including but not limited to arbitrary command execution, uploading Web Shells, arbitrary code execution, SQL injection to access core system privileges, etc.;

2. Vulnerabilities directly leading to the leakage of important information, including but not limited to SQL injection vulnerabilities in important DBs; leakage of extensive important business source codes; and SSRF vulnerabilities that enable access to internal networks and access sensitive information.

1. Vulnerabilities requiring interaction to access user identity information, including but not limited to stored XSS vulnerabilities in core and important systems; and CSRF for sensitive operations (payment, account information, etc.);

2. Arbitrary file operation vulnerabilities, including but not limited to arbitrary file reading, writing, deletion, uploading, downloading, etc.;

3. Ordinary unauthorized access, including but not limited to bypassing restrictions to modify user profiles, perform user operations, read user information; and bypassing restrictions to access non-core business system backends;

1. Reflective XSS; and non-critical system stored XSS;

2. Limited-harm unauthorized operations (e.g., unauthorized emptying/adding to cart);

3. Minor information leakage, including but not limited to Phpinfo; non-core system SVN information leakage; non-important information leakage (e.g., unusable DB connection passwords); and local SQL injection in client applications;

4. Vulnerabilities that are difficult to exploit but pose security risks, including but not limited to difficult-to-exploit SQL injection points; local denial of service in clients; and vulnerabilities under specific conditions or environments (e.g., SMS, email bomb, URL redirection);

1. Vulnerabilities not related to security issues, including but not limited to defects in website product functionality, garbled pages, mixed styles, URL skip at login, etc.

2. Vulnerabilities that cannot be exploited, replicated, or result in actual harm.

3. Other issues that have no impact on GREE's business.

Other issues not categorized within specific types will be comprehensively evaluated based on their actual harm and CVSS.

GREESRC Vulnerability Remediation Process is as follows:

Vulnerability Remediation Platform: https://www.butian.net/Company/1100

Remediation Process:

（(1) The asset owner receives a vulnerability notification email and simply needs to click on the vulnerability link in the email to be redirected to the vulnerability detail page for review. If not registered, after registering an account, the asset owner can review the number of vulnerabilities and detailed reports corresponding to the vulnerability status in the [My Vulnerability Management] menu.

(2) After reviewing the vulnerability report, the asset owner needs to click on the [Please Confirm Acknowledgment of the Vulnerability] button at the top or bottom of the vulnerability report page. Upon clicking, the vulnerability status will change from "New Notification" to "In Remediation". If the "Please Confirm Acknowledgment of the Vulnerability" button is not clicked, the vulnerability status will remain as "New Notification". The platform will send new vulnerability reminder emails to the relevant personnel every business day at 9:30 a.m.

(3) After remediating the vulnerability, the asset owner can open the [In Remediation] vulnerability report in [My Vulnerability Management] and then click on the [Apply for Retesting] button to access the application for the retesting page. After filling in the remediation method, the asset owner can submit the retesting application. The platform will automatically send a vulnerability retesting request email to the security personnel, and the vulnerability status will change to [Retesting in Progress]. If the asset owner is aware of the vulnerability but decides not to remediate it, they need to submit the "Vulnerability Risk Acceptance" process on the review platform. After the information security officer agrees to not remediate the vulnerability, the vulnerability remediation process is concluded.

The enterprises confirm vulnerability remediation completion and close the vulnerability. Vulnerability remediation process is complete.

DECLARATIONS:

To submit a GREESRC vulnerability, white hats must accept the Butian User Service Agreement and observe the White Hat Code of Conduct. Without the manufacturer's permission, it is strictly prohibited to publicly disclose any vulnerabilities submitted to GREESRC (including ignored vulnerabilities). Violators will have their awarded rewards deducted and shall be subject to legal consequences depending on the severity of the situation.