Vulnerability Disclosure Policy
At Danby, cybersecurity is of utmost importance to us. Thank you in your interest in the security of our digital offerings, applications and cloud services. We value the contributions of the security community in helping us maintain a secure environment. This Vulnerability Disclosure Policy outlines the process for reporting security vulnerabilities in our systems.
Scope
This policy applies to all digital offerings, applications, and cloud services provided by Danby. If you discover a potential security vulnerability, we encourage you to report it to us following the guidelines outlined in this policy.
Reporting a Vulnerability
If you believe you have discovered a security vulnerability, please report it our support team at consumerservice@danby.com
To better support us, please also provide some of the additional information below
- Name of affected product or service
- Model and/or serial number
- Any Proof of Concept step details
- Description of the steps to reproduce the issue
- Public references if there are any
- A video or screenshot of vulnerability
Response Time
We will respond within 72 hours (Monday to Friday, 9am to 5pm EST) to the vulnerability you submit. The actual response time to the vulnerability may change depending on risk level and complexity of the vulnerability.
Vulnerability Classification
Critical:
- Vulnerabilities of remote direct access to system permissions (server permissions, client permissions, intelligent devices), including but not limited to arbitrary code execution, arbitrary command execution, and uploading and adoption of Trojan horses.
- Mobile terminal: vulnerabilities of remote code execution.
- Device terminal: vulnerabilities causing a permanent denial of service on the device, including but not limited to permanent denial of service attack (the device can no longer be used: it is completely permanently damaged, or the entire system needs to be rewritten) initiated remotely by the system device, that physical contact with the device is not allowed during an attack, and that the attack needs to be replicated in batches quickly
High Risk:
- Vulnerabilities directly leading to the disclosure of sensitive information of the online server, including but not limited to disclosure of source code of the core system, disclosure of information related to user account payment or the downloading of sensitive log files of the server.
- Vulnerabilities that affect the normal operation of online services, such as denial of service of the application layer.
- Logical design defects in the system, which can lead to unauthorized operation, such as unauthorized access to sensitive information.
Medium Risk:
- General information disclosure, including but not limited to plaintext storage password of mobile client end, download of source code compressed package containing sensitive information of server or database, etc.
- Logic design defects of the system, such as bypassing commodity postage, payment vulnerabilities, etc.
Low Risk:
- Vulnerabilities that can be exploited for phishing attacks, including but not limited to URL redirection vulnerabilities.
- Logic design defects of the system.
- Minor information disclosure vulnerabilities, including but not limited to path disclosure, .git file disclosure, and business log content of the service side.
Ignored Problems:
- Bug problems unrelated to security, including but not limited to slow opening of web pages and disordered styles.
- The report submitted is too simple to be reproduced according to the report content, including but not limited to the vulnerabilities that cannot be reproduced through repeated communication with the vulnerability reviewer.
- Products, APPs or modules not under maintenance
- Vulnerabilities of general protocols such as WIFI, MQTT, BLE, and Zigbee
Vulnerability processing timeline
Type | Time for Confirmation | Time for Processing |
---|---|---|
Critical | Within 48 hours | Within 72 hours |
High Risk | Within 3 days | Within 1 week |
Medium Risk | Within 7 days | Within 2 weeks |
Low Risk | Within 14 days | Within 1 month |
Ignored | Within 1 month | Within 6 months |
Vulnerability processing
- Solution Planning: Technicians need to carefully strategize how to address vulnerabilities, aiming to either eliminate them entirely, mitigate the impact of potential exploitation, or minimize exposure.
- Patch Generation and Implementation: Technicians are tasked with creating patches, fixing programs, and updating software, as well as adjusting documentation or configurations to rectify identified vulnerabilities.
- Patch Strategy Testing: Technicians must conduct thorough testing of fix strategies, ensuring that all vulnerability issues across supported platforms are effectively addressed.
Security Support Timeline
Software and security updates are provided for the product for 5 years after product release.
Repaired Vulnerability History
Affected Software | Affected Version(s) | Patched Version |
---|---|---|
(none) |