Overview

This Vulnerability Disclosure Policy (VDP) defines the process for reporting, handling, and disclosing security vulnerabilities affecting Vestel Electronics Inc. products and services.

Vestel Electronics Inc. considers security and privacy as critical aspects of its products and end-to-end IoT ecosystem, including Smart TVs, white goods, Electric Vehicle Chargers (EVCs), mobile applications, backend services, and cloud components.

Vestel encourages security researchers and reporters to responsibly disclose potential vulnerabilities. Information provided through this VDP is used as part of Vestel’s vulnerability handling and incident response processes to assess, remediate, and disclose security issues in a controlled and coordinated manner.

CVE Numbering Authority (CNA) Status

Vestel Electronics Inc. is a CVE Numbering Authority (CNA) authorized by the CVE Program to assign CVE identifiers for vulnerabilities affecting Vestel products and services.

As a CNA, Vestel manages the identification, analysis, tracking, and coordinated disclosure of vulnerabilities in accordance with CVE Program rules, industry best practices, and applicable regulatory requirements.

CVE Assignment Scope

Vestel assigns CVE IDs only for vulnerabilities that affect the following Vestel- developed and maintained products and services:

• Vestel Smart TVs
• Vestel white goods and smart home appliances
• Vestel Electric Vehicle Chargers (EVCs)
• Vestel-developed end-to-end IoT ecosystem components, including:
  • Backend and cloud services
  • Official mobile applications Vestel does not assign CVE IDs for:
• Third-party products or services not developed or maintained by Vestel
• Vulnerabilities affecting third-party components unless the issue is directly related to Vestel’s integration and maintenance responsibility

Scope

This Vulnerability Disclosure Policy applies to:

• Vestel IoT devices, including Smart TVs, white goods, smart home appliances, and EVCs
• End-to-end IoT solutions, including backend systems, cloud services, and mobile applications operated by Vestel

Guidelines for Reporters

Reporters are expected to comply with the following guidelines when identifying and reporting vulnerabilities:

• If a vulnerability or exposure of sensitive data (e.g., personally identifiable information or financial data) is discovered, testing must stop immediately, and Vestel IoT Security Team must be notified.
• If personal data is identified, reporters must specify the type of data involved but

must not include actual personal data in the report.

• All vulnerability reports must be submitted via email to: psirt@vestel.com.tr

• Reporters must make every effort to avoid:
  • Privacy violations
  • Service degradation or disruption
  • Impact to production systems
  • Destruction or manipulation of data
• Exploitation activities must be limited strictly to what is necessary to confirm the presence of a vulnerability. Reporters must not:
  • Exfiltrate data
  • Establish persistent access
  • Pivot to other systems
• Reporters are requested to avoid submitting high-volume, low-quality
• Encrypted emails are not supported at this When possible, reports should include:
• Affected product type, model, and version
• Detailed description of the vulnerability
• Information regarding any potential data exposure
• Setup details and reproduction steps
• Network traces (if available)
• Public references if the issue is already known

Vulnerability Handling and CVE Lifecycle

Reported vulnerabilities are handled according to the following process:

1. Receipt and acknowledgment of the vulnerability report
2. Initial triage and validation by Vestel PSIRT
3. Impact and severity assessment (e.g., CVSS 1 or v4.0)
4. CVE ID assignment when applicable
5. Development and validation of remediation or mitigation measures
6. Coordinated Vulnerability Disclosure (CVD) with the reporter

7. Public disclosure via security advisories, release notes, and/or relevant vulnerability databases

Coordinated Vulnerability Disclosure

Vestel follows a Coordinated Vulnerability Disclosure (CVD) approach.

Public disclosure of vulnerabilities is coordinated with the reporter and typically occurs after a fix or mitigation is available, unless exceptional circumstances require otherwise. Reporters are expected not to publicly disclose vulnerabilities prior to coordinated disclosure.

Security Advisories and Public Disclosure

Once a vulnerability is resolved or mitigated, Vestel may publish a security advisory including the assigned CVE ID through:

• Official Vestel security advisory channels
• Product release notes
• Relevant vulnerability databases (e.g., NVD)

What Reporters Can Expect from Vestel

Vestel commits to:

• Acknowledge vulnerability reports within seven (7) business days
• Provide status updates at least every 90 days until the issue is resolved or disclosed
• Maintain open and transparent communication with reporters who provide contact information
• Confirm the existence of reported vulnerabilities where possible and communicate remediation progress, including any factors that may affect resolution timelines