This policy provides a comprehensive overview of the vulnerability disclosure process, including the scope, reporting, analysis, handling, and disclosure of vulnerabilities. To ensure a smooth experience, we highly recommend reading this policy in its entirety before reporting any vulnerabilities.
Scope
This vulnerability disclosure policy applies to any potential vulnerability from any Danfoss product and service regardless of its lifecycle status.
Out of Scope
We do not accept the reporting of the following vulnerabilities:
- Vulnerabilities on products or services that have been licensed or transferred to a third-party by Danfoss
- Security incidents or attacks
- Technical support requests
Process
In Danfoss, we follow a four-step process for handling and disclosing vulnerabilities.
The steps include: 1) Reporting, 2) Analysis, 3) Handling, and 4) Disclosure.
1. Reporting
We encourage you to report any potential vulnerabilities in Danfoss products and services within the defined scope. Please submit your report via the Report a vulnerability form.
While Danfoss accepts anonymous reports, please note that if you choose to remain anonymous, we will be unable to communicate with you during the vulnerability disclosure process.
2. Analysis
Danfoss will thoroughly investigate and attempt to reproduce the reported vulnerability, following our internal procedures. We will keep you informed of our progress and may request additional information during this process.
Once the vulnerability is confirmed, we will conduct a risk assessment to determine its severity level and evaluate potential impacts and consequences.
3. Handling
In case the vulnerability is confirmed, Danfoss will proceed to define a remediation plan. The implementation of this plan will be prioritized based on the severity level and the evaluated impacts and consequences from the previous analysis.
Please note that for end-of-life products and services that are no longer supported, Danfoss may only provide recommendations as we cannot offer remediations.
4. Disclosure
After resolving the reported vulnerability, Danfoss will publish a Security Advisory.
4.1 Danfoss product vulnerability disclosure case
Danfoss follows a careful process when addressing vulnerabilities in our products and services. We strive to maintain a balance between transparency and allowing customers sufficient time to apply necessary fixes. As a result, the publication of advisories may be delayed to minimize potential customer impacts.
4.2 Acknowledgement
Danfoss acknowledges all individuals, organizations or companies who on own initiative has reported and helped us in mitigating one or multiple vulnerabilities associated with our products and services.
If you have opted-in and provided explicit consent, we will acknowledge your contributions by publishing your name in the Danfoss Hall of Thanks.
Please note that vulnerabilities previously published or those classified as "informational" will not be eligible for inclusion on our acknowledgment page.
Legal Notice
During the process, you are expected to comply with the following requirements:
- Comply with the relevant laws and regulations.
- Do not exploit or take advantage of the vulnerability more than strictly necessary.
- Conduct product testing without any adverse impact on customers and individuals, or obtain before an explicit consent from them.
- Do not disrupt any Danfoss’ service.
- Do not use high-intensity methods and invasive scanning tools.
- Take measures to prevent any negative impact on the safety or privacy of individuals.
- Do not access unnecessary, excessive, or significant amounts of data.
- Do not modify data in Danfoss’ systems or services.
- Do securely delete all data retrieved as part of your vulnerability report as soon as it is no longer required.
- Perform coordinated disclosure by not publicly disclosing the vulnerability before the expiration of a mutually agreed timeline.
Danfoss reserves the right to take legal action in case of non-compliance.
History
Ver.1 (25-06-2024): Publication