Report Vulnerability
Introduction
This Vulnerability Disclosure Policy (VDP) defines the activities for anyone to find and report
vulnerabilities in IoT solutions including cloud services, mobile application and smart home appliances,
Smart TVs and EVCs in a legally authorized manner. Consumers can be any persons of any age or
affiliation located anywhere in the World. This policy is effective as of May 27, 2024
Overview
This policy is the "act of initially providing vulnerability information to a party that was not found to
be previously aware." The individual or organization that performs this act is called the reporter.
We, as Vestel Electronics Inc., consider security and privacy issues/vulnerabilities seriously and to
improve/enhance the security level of our end2end IoT Solutions including mobile apps, back-end
solutions and IoT devices such as home appliances, Smart TVs and EVCs(Electric Vehicle Charger), We
gladly wait for feedback/report from reporters. Information about potential vulnerabilities reported to
us, the VDP and incident response plan will be used in mitigate or remediate actions for the IoT
solution related vulnerabilities.
Scope
All IoT devices including smart home appliances, Smart TVs, EVCs and related end2end IoT solutions
including back-end systems, mobile applications are covered within the scope of the VDP.
Guidelines
The VDP, reporters should take the activities required that:
- A vulnerability is discovered or sensitive data such as personally identifiable information (PII),
financial information is identified, the reporter stop testing and notify Vestel IoT Security Team.
- When personal data is discovered, the reporter specifies the type of PII in the report. Any spesific
PII does not given in the reported vulnerability. Please send an email to psirt@vestel.com.tr the information and
reports
- Reporters shall report potential vulnerabilities identified in the end2end IoT Solutions and IoT
devices via e-mail: psirt@vestel.com.tr.
- Reporters make every effort to avoid privacy violations, degradation of user experience, disruption
to production systems, and destruction or manipulation of data.
- Reporters must only use exploits to the extent necessary to confirm a vulnerability's presence.
Reporters must not use an exploit to compromise or exfiltrate data, establish persistent command
line access, or use the exploit to pivot to other systems.
- If reporters want to submit reports, we ask them not to submit high volume and low quality
reports.Reporters may not send encrypted emails at this time.
- We kindly request that reporters specify the following information when reporting a vulnerability if
possible:
- Affected product type, model, version.
- Detailed description of the vulnerability.
- Information about data breach if any.
- Setup and reproduction steps.
- Network traces (if available).
- Public references of vulnerability if it is known issue.
What Reporters Should Expect from Us
We commit to coordinating with reporter who share their contact information as openly and as quickly as
possible.
- We will acknowledge that a report has been received within seven (7) business days.
- Updates on the status of the vulnerability will be provided within 90 days until the issue is
resolved.
- The timeline is only valid for the connected products specified in the scope.
- We will, to the best of our ability, confirm the existence of the vulnerability to the reporter and
be as transparent as possible about what steps are being taking during the remediation process,
including any issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.