Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

At Danby, cybersecurity is of utmost importance to us. Thank you in your interest in the security of our digital offerings, applications and cloud services. We value the contributions of the security community in helping us maintain a secure environment.  This Vulnerability Disclosure Policy outlines the process for reporting security vulnerabilities in our systems.

Scope

This policy applies to all digital offerings, applications, and cloud services provided by Danby. If you discover a potential security vulnerability, we encourage you to report it to us following the guidelines outlined in this policy.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability, please report it our support team at consumerservice@danby.com

To better support us, please also provide some of the additional information below

  • Name of affected product or service
  • Model and/or serial number
  • Any Proof of Concept step details
  • Description of the steps to reproduce the issue
  • Public references if there are any
  • A video or screenshot of vulnerability

Response Time

We will respond within 72 hours (Monday to Friday, 9am to 5pm EST) to the vulnerability you submit. The actual response time to the vulnerability may change depending on risk level and complexity of the vulnerability.

Vulnerability Classification

Critical:

  1.  Vulnerabilities of remote direct access to system permissions (server permissions, client permissions, intelligent devices), including but not limited to arbitrary code execution, arbitrary command execution, and uploading and adoption of Trojan horses.

  2. Mobile terminal: vulnerabilities of remote code execution.

  3. Device terminal: vulnerabilities causing a permanent denial of service on the device, including but not limited to permanent denial of service attack (the device can no longer be used: it is completely permanently damaged, or the entire system needs to be rewritten) initiated remotely by the system device, that physical contact with the device is not allowed during an attack, and that the attack needs to be replicated in batches quickly

High Risk:

  1. Vulnerabilities directly leading to the disclosure of sensitive information of the online server, including but not limited to disclosure of source code of the core system, disclosure of information related to user account payment or the downloading of sensitive log files of the server.

  2. Vulnerabilities that affect the normal operation of online services, such as denial of service of the application layer.

  3. Logical design defects in the system, which can lead to unauthorized operation, such as unauthorized access to sensitive information.

Medium Risk:

  1. General information disclosure, including but not limited to plaintext storage password of mobile client end, download of source code compressed package containing sensitive information of server or database, etc.

  2. Logic design defects of the system, such as bypassing commodity postage, payment vulnerabilities, etc.

Low Risk:

  1. Vulnerabilities that can be exploited for phishing attacks, including but not limited to URL redirection vulnerabilities.

  2. Logic design defects of the system.

  3. Minor information disclosure vulnerabilities, including but not limited to path disclosure, .git file disclosure, and business log content of the service side.

Ignored Problems:

  1. Bug problems unrelated to security, including but not limited to slow opening of web pages and disordered styles.

  2. The report submitted is too simple to be reproduced according to the report content, including but not limited to the vulnerabilities that cannot be reproduced through repeated communication with the vulnerability reviewer.

  3. Products, APPs or modules not under maintenance

  4. Vulnerabilities of general protocols such as WIFI, MQTT, BLE, and Zigbee

Vulnerability processing timeline

TypeTime for ConfirmationTime for Processing
CriticalWithin 48 hoursWithin 72 hours
High RiskWithin 3 daysWithin 1 week
Medium RiskWithin 7 daysWithin 2 weeks
Low RiskWithin 14 daysWithin 1 month
IgnoredWithin 1 monthWithin 6 months

Vulnerability processing

  1. Solution Planning: Technicians need to carefully strategize how to address vulnerabilities, aiming to either eliminate them entirely, mitigate the impact of potential exploitation, or minimize exposure.

  2. Patch Generation and Implementation: Technicians are tasked with creating patches, fixing programs, and updating software, as well as adjusting documentation or configurations to rectify identified vulnerabilities.

  3. Patch Strategy Testing: Technicians must conduct thorough testing of fix strategies, ensuring that all vulnerability issues across supported platforms are effectively addressed.

Security Support Timeline

Software and security updates are provided for the product for 5 years after product release.

Repaired Vulnerability History

Affected SoftwareAffected Version(s)Patched Version
(none)