Report Vulnerability

Introduction

This Vulnerability Disclosure Policy (VDP) defines the activities for security researchers to find and report vulnerabilities in IoT solutions including cloud services, mobile application and smart home appliances, Smart TVs and EVCs in a legally authorized manner. Security researchers can be any persons of any age or affiliation located anywhere in the World. This policy is effective as ofJan 3, 2024.

Overview

This policy is the "act of initially providing vulnerability information to a party that was not found to be previously aware." The individual or organization that performs this act is called the reporter or security researcher.

We, as Vestel Electronics Inc., consider security and privacy issues/vulnerabilities seriously and to improve/enhance the security level of our end2end IoT Solutions including mobile apps, back-end solutions and IoT devices such as home appliances, Smart TVs and EVCs. We gladly wait for feedback/report from security researches. If an information about potential vulnerabilities is reported to us, the VDP and incident response plan will be used in mitigate or remediate actions for the IoT solution related vulnerabilities.

Scope

All IoT devices including smart home appliances, Smart TVs, EVCs and related end2end IoT solutions including back-end systems, mobile applications are covered within the scope of the VDP.

Also, a researcher determines a vulnerability which includes any sensitive data (including personally identifiable information, financial information, or the proprietary information or trade secrets of any party), they must stop testing, notify relevant e-mail address immediately through our vulnerability submission process, and not disclose this data to anyone else. If a researcher engages in any activities that are inconsistent with this procedure or other applicable law, the researcher may be subject to criminal and/or civil liabilities.

Guidelines

Under the VDP, researchers should take the activities required that:

If a vulnerability is discovered or sensitive data such as personally identifiable information (PII), financial information is identified,the security researcher should stop testing and notify Vestel.
When personal data is discovered, the security researcher specifies the type of PII in the report.Any spesific PII should not be given in the reported vulnerability. Please send an email topsirt@vestel.com.trthe information and reports
Security researchers shall report potential vulnerabilities identified in the end2end IoT Solutions and IoT devices via e-mail:psirt@vestel.com.tr. For reports submitted in compliance with this policy, the team will acknowledge receipt within five (5) business days.
Security researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Security researchers must only use exploits to the extent necessary to confirm a vulnerability's presence. Security researchers must not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Security researchers should not submit a high volume of low-quality reports.
Security researchers may not send encrypted emails at this time.
Security researchers provide us a reasonable amount of time (90 calendar days) to resolve the issue before disclosing it publicly.

A vulnerability report shall include the following information:

Affected product type, model, version.
Detailed description of the vulnerability.
Information about data breach if any.
Setup and reproduction steps.
Network traces (if available).
Public references of vulnerability if it is known issue.

In addition, we count the following activities as strictly prohibited or out of scope, and thus not rewardable:

Social Engineering attacks
Clickjacking on pages without any authentication and/or sensitive state changes
Content spoofing
HTTP Header related test results
DoS/DDoS
Results of automated vulnerability / scanning tools
Brute forcing

Provider	Cookie name	Description	Duration of storage
Vestel Germany	cookie_consent	This cookie is used by us to save your cookie settings.	6 months
Vestel Germany	cookie_consent_permissions	This cookie is used by us to save your cookie settings.	6 months
Vestel Germany	vestel_visual_solutions_session	This cookie is used by the PHP scripting language to enable session variables to be stored on our web server.	End of session
Vestel Germany	XSRF-TOKEN	Is a protection against the cross-site request forgery (CSRF). More information: https://en.wikipedia.org/wiki/Cross-site_request_forgery	End of session

Provider	Cookie name	Description	Duration of storage
Google	_ga	This cookie is used by Google to distinguish you from other users.	2 years
Google	_gid	This cookie is used by Google to distinguish you from other users and to generate statistical data about your user behaviour.	1 day
Google	_gat	This cookie is used by Google to limit the percentage of requests to the Google Analytics servers.	1 minute
Google	AMP_TOKEN	This cookie is used by Google to retrieve a Client ID from AMP Client ID service through a token.	30 second to 1 year
Google	_gac_	This cookie is used by Google and contains campaign related information for the user.	90 days
Google	__utma	This cookie is used by Google to distinguish users and sessions.	2 years
Google	__utmt	This cookie is used by Google to limit the percentage of requests to the Google Analytics servers.	10 minutes
Google	__utmb	This cookie is used by Google to determine new sessions/visits.	30 minutes
Google	__utmc	This cookie is used by Google to track your user behaviour and to measure the performance of our website.	End of session
Google	__utmz	This cookie is used by Google to store the traffic source or campaign that explains how your reached our website.	6 months
Google	__utmv	This cookie is used by Google to store visitor-level custom variable data. This cookie is updated every time data is sent to Google Analytics.	2 years
Google	__utmx	This cookie is used by Google to determine your inclusion in a test	18 months
Google	__utmxx	This cookie is used by Google to determine the expiry of tests you have been included in.	18 months
Google	_gaexp	This cookie is used by Google to determine your inclusion in a test and the length of the test you have been included in.	Depends on the length of the test, but typically 90 days

Provider	Cookie name	Description	Duration of storage
Google	_opt_awcid	This cookie is used by Google to map campaigns to Google Ads Customer IDs.	24 hours
Google	_opt_awmid	This cookie is used by Google to map campaigns to Google Ads Campaign IDs.	24 hours
Google	_opt_awgid	This cookie is used by Google to map campaigns to Google Ads Group IDs.	24 hours
Google	_opt_awkid	This cookie is used by Google to map campaigns to Google Ads Criterion IDs.	24 hours
Google	_opt_utmc	This cookie is used by Googles to store the last utm_campaign query parameter.	24 hours