1. Introduction
SMEG’s product approach is to combine high technological standards with attractive design to make the household appliance more enjoyable to use.
Guaranteeing the absolute reliability of our household appliances is one of SMEG's main commitments, as evidenced by constant and rigorous control tests throughout the production process.
As a manufacturer of high quality and durable products, SMEG is therefore concerned about the security of user's information and welcome the contribution of external security researchers for improving security of our connectable products and their related mobile applications.
This policy shows the framework that SMEG assures with regard to the responsible disclosure of security vulnerabilities. By means of this policy, SMEG shows its guidelines for the handling of reports of security vulnerabilities.
SMEG reserves the right to modify and update its Vulnerability Disclosure Policy, as necessary to further ensure transparency and clarity in our dealings with external security researchers. SMEG Vulnerability Disclosure Policy will therefore be applicable in its latest version.
We recommend reading this Vulnerability Disclosure Policy fully before you report a vulnerability and always acting in compliance with it.
We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.
2. Scope
This policy applies to all connectable products, included their components, which are developed, manufactured and marketed by SMEG as well as to all their related mobile applications.
For a list of our products covered by this policy, please refer to the following page: SMEG's connectable appliances and mobile applications.
On the same page, you will find the support period for each product code, which is the minimum length of time for which security updates will be provided. The possible expiration of the support period for a given product does not affect its operation: the product remains generally updateable, but we cannot guarantee updates for any security vulnerabilities found.
On the Vulnerability Bulletin, we publish notices of vulnerabilities that have been discovered, either through SMEG's normal testing activities, or through vulnerability reports received via the dedicated online form, which are then verified and fixed by SMEG's laboratories.
3. How to Report a Security Vulnerabilty
If you believe you have found a security vulnerability in one of SMEG connectable product or mobile applications, or if you have a security incident to report, please share your findings and remarks, by filling in the web form available at the following link: vulnerability report.
In order to speed up the reporting process, your message should include all the details of the security issue according to all the camps specified in the web form. More precisely, in your report please include details of:
- Title: a brief summary to help us categorize the reported vulnerability;
- Product Type: select the type of product the vulnerability relates to (e.g. oven, wine cooler, dishwasher, etc.);
- Product Code: to identify the product code, see how-to-find-productcode-and-serialnumber;
- Description: a brief description of the reported vulnerability and possible mitigations or recommendations;
- Steps to Reproduce: provide clear and descriptive steps to reproduce the vulnerability and test code if available;
- Impact: the impact of the emergence of the reported vulnerability;
- Weakness: if you prefer, you can refer to the CWE (Common Weakness Enumerations) portal.
- Severity: low, medium, high, critical, according to CVSS calculation method;
- Product Serial Number: to identify the Product Serial Number, see how-to-find-productcode-and-serialnumber;
- Product Serial Index: to identify the Product Serial Index, see how-to-find-productcode-and-serialnumber;
- Supporting Files: e.g. screenshots or video;
- Name, Surname and Contact E-mail.
The form also allows you to provide your first name, last name and email address. This information is not mandatory for submitting the vulnerability report but is required to notify you that your report has been taken into account, to send you updates on the report, and to request further details about the reported vulnerability.
4. What to Expect
After confirming the submission of your vulnerability report, you will receive a confirmation message with a protocol number. This protocol number is the unique identifier which will be used to identify all subsequent SMEG updates relating to your vulnerability report.
Once a protocol number has been assigned to the vulnerability report, it will be recorded by our systems.
Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address.
If you have provided us with your contact details, we will aim to keep you informed of our progress on the summitted security report; otherwise, you are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.
If you have provided us with your contact details, we will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
SMEG Product Security Team will send all communications via the [email protected] address, which you can consider as the reference address for both general information or to enquire on the status of a submitted report.
Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.
5. Best Practices in Vulnerability
In order to facilitate the handling of vulnerability reports, we provide below some best practices that we encourage you to follow when reporting vulnerabilities.
We invite you not to:
- Break any applicable law or regulations;
- Access unnecessary, excessive or significant amounts of data;
- Modify data in the SMEG's systems or services;
- Use high-intensity invasive or destructive scanning tools to find vulnerabilities;
- Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests;
- Disrupt the SMEG's services or systems;
- Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers;
- Communicate any vulnerabilities or associated details other than by means described in this Disclosure Vulnerability Policy and the published security.txt;
- Social engineer, ‘phish’ or physically attack the SMEG's staff or infrastructure;
- Demand financial compensation in order to disclose any vulnerabilities.
We invite you to:
- Always comply with data protection rules and not violate the privacy of the SMEG’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services;
- Securely delete all data retrieved during your research as soon as it is no longer required or within 1 (one) month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
6. Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause SMEG or partner organizations to be in breach of any legal obligations.
