Security Incident
Reporting Policy
Since security is of critical importance to us and to our customers, we at Vimar are committed to ensuring the safety and security of our products and services. Vimar supports coordinated vulnerability disclosure and encourages responsible vulnerability testing, we take any reports of potential security vulnerabilities seriously.
Please follow these steps to report a potential security vulnerability.
Reporting Procedure
- Please use our PGP public key (download) to encrypt any e-mail submissions to us at security-report-on-iot@vimar.com
- Provide your reference/advisory number and sufficient contact information, such as;
a. Your contact information;
b. Name of the person who found the vulnerability;
c. Date when the vulnerability was detected and details about how it was discovered.
d. Use the English language. - Include a technical description of the concern or vulnerability. Provide as much information you can on the product or service, like version number, and configuration of the setup used (i.e. tools). If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such and is encrypted with our PGP key (download);
- If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information.
Download | Size | Date | |
---|---|---|---|
PGP public key | 1.97 K | 15/06/2021 |
Report Assessment and Action
- Vimar will:
a. Acknowledge receiving your report within 14 business days;
b. Provide you with a unique tracking number for your report;
c. Assign a contact person to each submitted case;
d. Notify the interested internal technical teams. - Vimar will keep you informed on the status of your report.
- If the vulnerability is actually in a third party component or service which is part of our product/service, we will refer the report to that third party and advise you of that notification. To that end, please inform us in your email whether it is permissible in such cases to provide your contact information to the third party.
- Upon receiving a vulnerability report, Vimar will;
a. Verify the reported vulnerability;
b. Work on a resolution;
c. Perform QA/validation testing on the resolution;
d. Release the resolution;
e. Share lessons learned with development teams. - Vimar will use existing customer notification processes to manage the release of patches or security fixes, which may include without limitation and at Vimar’s sole discretion direct customer notification or public release of an advisory notification on our website.
Important
- Refrain from including sensitive personal information in any screen shots or other attachments you provide to us.
- Do not perform any vulnerability testing on applications, products or services that are actively in use. Vulnerability testing should only be performed on devices or applications, products or services not currently in use or not intended for use.
- For web based applications, products or services, please use demo/test environments to perform vulnerability testing.
- Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data. Try to not to delete or use data belonging to other users.
- As part of responsible co-ordination of vulnerability disclosure, we encourage you to work with Vimar on selecting public release dates for information on discovered vulnerabilities.
- In the effort to find vulnerabilities, actions must not be disproportionate, such as, including without limitations:
a. Using social engineering to gain access or information;
b. Installing or building backdoors in an information application, product or service with the intention of then using it to demonstrate the vulnerability;
c. Utilizing a vulnerability further than what is necessary to establish its existence.
d. Making changes to the application, product or service;
e. Repeatedly gaining access to the application, product or service or sharing access with others;
f. Using brute force attacks to gain access to the application, product or service. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords. - Vimar will provide full credit to researchers who make a vulnerability report or perform testing, in publicly released patch or security fix release information, if requested.
Notice
If you share any information with Vimar in the context of responsible disclosure, you are agreeing that the information you submit will be considered as non-proprietary and non-confidential. Vimar is allowed to use shared information, or part of it, without any restriction. You agree that submitting information does not create any rights for you or any obligation for Vimar. Personal data are processed by Vimar based on the web site Product and App privacy policy.