Vulnerability Disclosure Policy

At Danby, cybersecurity is of utmost importance to us. Thank you in your interest in the security of our digital offerings, applications and cloud services. We value the contributions of the security community in helping us maintain a secure environment. This Vulnerability Disclosure Policy outlines the process for reporting security vulnerabilities in our systems.

Scope

This policy applies to all digital offerings, applications, and cloud services provided by Danby. If you discover a potential security vulnerability, we encourage you to report it to us following the guidelines outlined in this policy.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability, please report it our support team at consumerservice@danby.com

To better support us, please also provide some of the additional information below

Name of affected product or service
Model and/or serial number
Any Proof of Concept step details
Description of the steps to reproduce the issue
Public references if there are any
A video or screenshot of vulnerability

Response Time

We will respond within 72 hours (Monday to Friday, 9am to 5pm EST) to the vulnerability you submit. The actual response time to the vulnerability may change depending on risk level and complexity of the vulnerability.

Vulnerability Classification

Critical:

Vulnerabilities of remote direct access to system permissions (server permissions, client permissions, intelligent devices), including but not limited to arbitrary code execution, arbitrary command execution, and uploading and adoption of Trojan horses.
Mobile terminal: vulnerabilities of remote code execution.
Device terminal: vulnerabilities causing a permanent denial of service on the device, including but not limited to permanent denial of service attack (the device can no longer be used: it is completely permanently damaged, or the entire system needs to be rewritten) initiated remotely by the system device, that physical contact with the device is not allowed during an attack, and that the attack needs to be replicated in batches quickly

High Risk:

Vulnerabilities directly leading to the disclosure of sensitive information of the online server, including but not limited to disclosure of source code of the core system, disclosure of information related to user account payment or the downloading of sensitive log files of the server.
Vulnerabilities that affect the normal operation of online services, such as denial of service of the application layer.
Logical design defects in the system, which can lead to unauthorized operation, such as unauthorized access to sensitive information.

Medium Risk:

General information disclosure, including but not limited to plaintext storage password of mobile client end, download of source code compressed package containing sensitive information of server or database, etc.
Logic design defects of the system, such as bypassing commodity postage, payment vulnerabilities, etc.

Low Risk:

Vulnerabilities that can be exploited for phishing attacks, including but not limited to URL redirection vulnerabilities.
Logic design defects of the system.
Minor information disclosure vulnerabilities, including but not limited to path disclosure, .git file disclosure, and business log content of the service side.

Ignored Problems:

Bug problems unrelated to security, including but not limited to slow opening of web pages and disordered styles.
The report submitted is too simple to be reproduced according to the report content, including but not limited to the vulnerabilities that cannot be reproduced through repeated communication with the vulnerability reviewer.
Products, APPs or modules not under maintenance
Vulnerabilities of general protocols such as WIFI, MQTT, BLE, and Zigbee

Vulnerability processing timeline

Type	Time for Confirmation	Time for Processing
Critical	Within 48 hours	Within 72 hours
High Risk	Within 3 days	Within 1 week
Medium Risk	Within 7 days	Within 2 weeks
Low Risk	Within 14 days	Within 1 month
Ignored	Within 1 month	Within 6 months

Vulnerability processing

Solution Planning: Technicians need to carefully strategize how to address vulnerabilities, aiming to either eliminate them entirely, mitigate the impact of potential exploitation, or minimize exposure.
Patch Generation and Implementation: Technicians are tasked with creating patches, fixing programs, and updating software, as well as adjusting documentation or configurations to rectify identified vulnerabilities.
Patch Strategy Testing: Technicians must conduct thorough testing of fix strategies, ensuring that all vulnerability issues across supported platforms are effectively addressed.

Security Support Timeline

Software and security updates are provided for the product for 5 years after product release.

Repaired Vulnerability History

Affected Software	Affected Version(s)	Patched Version
(none)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.