The Support Period and Vulnerability Reporting are important to ensure the safety of consumers and businesses in UK. The Support Period outlines the duration of security support for any products and the Vulnerability Reporting allows the consumers to report any identified vulnerability.
Reporting Product Security Vulnerabilities
Thermowatt takes security very seriously and investigates all vulnerability reports.
Whenever you have identified a vulnerability or any other security issue related to a Thermowatt connected product, don’t hesitate to contact us.
Why should you report a vulnerability?
If you believe you have identified a potential vulnerability or security incident related to a Thermowatt connected product, please proceed and choose the appropriate way to contact us.
Thermowatt encourages responsible disclosure of vulnerabilities with a view to the longer-term benefits they bring in terms of fixed vulnerabilities, betterinformed customers, and continuous improvement of our security.
What to do
In case of a vulnerability or an incident in Thermowatt connected products, send us an e-mail to vulnerability.products@thermowatt.com.
- The person who made the report will receive an email acknowledging receipt and acknowledgement of the security issue report within one month. Please follow up on the communication if you need it.
- Status updates will be sent thereafter until the reported security issues are resolved.
How to share information
For product vulnerabilities, please report the following information in the communication.
a. Model number;
b. Part number;
c. Firmware version (if available).
- Description of the vulnerability
a. Type of vulnerability;
b. Requirements to reproduce the issue (prerequisites);
c. Information necessary to reproduce the issue (environmental conditions);
d. Estimated impact of the vulnerability;
e. Proof of concept code, exploit code (if any orapplicable), network traces, other resources demonstrating the vulnerability or how-to exploit the vulnerability (replicability).
Note: If a large amount of data needs to be submitted, please get in touch with us, and we’ll arrange the proper way to exchange information.
- Public references (if any):
Please indicate if the vulnerability has already been publicly disclosed and by whom (provide us the reference).
Our Security and Privacy Guidelines
- Responsible Reporting: Focus solely on demonstrating the vulnerability without exploiting it or causing harm.
- Systems and Data: Do not cause disruptions, data loss, or privacy violations.
- Respect User Privacy: Use any discovered personal data exclusively to resolve vulnerabilities and protect other users.
- Maintain Confidentiality: Allow Thermowatt a reasonable timeframe to address the vulnerability before disclosure to submitter unless otherwise mutually agreed upon.
- Avoid Intrusive Actions: Refrain from placing backdoors, directly modifying systems, using denial-of-service attacks, brute force, or aggressive scanning.
- Social Engineering: Do not attempt to manipulate Thermowatt employees or contractors for access or information.
- Report Significant Vulnerabilities: Focus on verifiable vulnerabilities that pose a risk. General configuration issues like TLS cyphers, email spam, volumetric attacks, missing web security headers or “best practices” alone are not considered unless they are part of an exploitable condition.
What We Promise
- Prompt Response: We will acknowledge valid vulnerability reports within 30 business days and provide an estimated timeline for resolution.
- Responsible Collaboration: We value your security findings. We will not pursue legal action related to your responsible disclosure if you follow our guidelines.
- Respect Your Privacy: Remember that reporting can be done totally anonymously, we do not need any personal data of the reporter.
- Transparency: We’ll keep you updated on the progress of fixing the vulnerability.
- Focus on Security: While we DO NOT offer a bug bounty program, we greatly appreciate your help strengthening our security posture.
Additional Considerations before submitting any information
- Language: Please submit reports in English (we will discard non-English communication).
- Confidentiality: We maintain strict confidentiality around vulnerabilities until they are resolved.
- Acknowledgement: While we won’t publicly name reporters, we may acknowledge responsible disclosures internally or in product patch notes (with your permission).
- Secure Communication: We strongly recommend S/MIME encryption in your initial email communication.
SUPPORT PERIOD detailes