DEVIALETVulnerability Policy Disclosure

Under this policy, vulnerability research denotes activities wherein security researchers:

• Notify Devialet promptly upon the discovery of any actual or potential security vulnerability.
• Endeavor in good faith to prevent privacy infringements, uphold user experience, forestall disruptions to operational systems, and safeguard against data destruction or manipulation. Any security testing that contravenes the law may prompt criminal or legal scrutiny. Refer to the Legal Issues and Protections section.
• Maintain the confidentiality of vulnerabilities during the coordinated disclosure timeframe of 90 calendar days, while affording Devialet a reasonable duration to rectify the issue before public disclosure.

This policy encompasses all vulnerabilities within Devialet's interconnected products, platforms, and controlling mobile applications, including those in firmware, mobile applications, and cloud services.

Services not explicitly listed above, such as any connected services, are beyond the scope and are not sanctioned for testing by Devialet. Furthermore, vulnerabilities detected in systems from our providers lie outside the purview of this policy and should be directly reported to the respective provider in accordance with their disclosure policy (if any). Should uncertainty persist regarding a system’s inclusion in scope, please contact us. Security researchers should refer to the external vulnerability disclosure policies of any third-party interconnected service to ascertain the authorized testing scope of said services.

We advocate for the responsible disclosure of vulnerabilities to Devialet. Reports may be submitted anonymously. Vulnerabilities can be reported through this with the subject line “Vulnerability Report”.

Upon reporting a vulnerability, external parties can anticipate acknowledgment of their report within five business days. We will provide regular updates on the status of reports every 2-3 weeks throughout the resolution process, including notification upon successful remediation of the vulnerability. We will assign a severity level to the vulnerability and prioritize it based on the potential risk to our clientele’s data and privacy.

Although we do not currently operate a bug bounty program for external security researchers, we are grateful for contributions that help us improve our security.

We are committed to safeguarding individuals who report vulnerabilities in good faith. Legal action will not be pursued against individuals adhering to this policy. Unless explicit acknowledgement is requested by the reporter, we will maintain the confidentiality of their identity unless otherwise mandated by law.

Last Updated : 15 April 2024