VULNERABILITY DISCOVERY AND DISCLOSURE
VULNERABILITY DISCOVERY AND DISCLOSURE
Vulnerability discovery and disclosure policy
Version 1.4– October 2023
Introduction
Sylvania considers that the safety, privacy and security of our customers is one of its top priorities. We design and make products and services with the best quality and reliability possible. Despite our efforts to implement the best possible security measures, vulnerabilities may still be present in our products and services.
This document describes Sylvania’s policy for receiving reports related to potential security vulnerabilities in its products and services, the company’s procedures in handling a report and the company’s standard practice with regards to informing customers of verified vulnerabilities.
Everyone is encouraged to report identified vulnerabilities, regardless the type of service or products. Researchers, partners, customers or any other source are welcomed to report any vulnerabilities found.
Scope
This policy applies to the following systems and services:
- sylvania-group.com
- https://comnet.sylvania-lighting.com
- SylSmart Energy (energy.sylvania-lighting.com)
- SylSmart Home mobile application
- SylSmart Standalone mobile application
- SylSmart Connected mobile application and web application (https://connected.sylvania-lighting.com/)
- SylSmart Connected Pro (https://connectedpro.sylvania-lighting.com)
- Solution Sylvania mobile application
- SylSmart City web application (city.sylvania-lighting.com / city.sylvania-latam.com)
- SylSmart City mobile application
Note for researchers: Any service not expressly listed above are excluded from scope and are not authorised for testing.
Guidelines
We request that you:
- Notify Feilo Sylvania first and as soon as possible after you have discovered a real or potential security issue
- Make every effort to avoid privacy violations, degradation of system performance, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence.
- Do not use an exploit to compromise or extract data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
- Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party),you must stop your test, notify us immediately, and not disclose this data to anyone else.
- Give Feilo Sylvania reasonable time to resolve the issue
- Do not use Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
If these guidelines are followed, no legal action will be taken against any persons discovering and reporting a vulnerability.
Reporting a vulnerability
The preferred method for contacting Feilo Sylvania regarding a real or potential vulnerability within its products or services, is by sending an e-mail to:
In order to efficiently process your report of the vulnerability, we expect a well-written report in English containing the following information:
- Time and date of discovery
- Mobile application being used
- Mobile Operating system
- Computer model and details of operating system
- Device model number and associated MAC/UUID addresses
- Product Model number using the vendor nomenclature if possible
- URL, browser information including type and version and input required to reproduce the vulnerability;
- Technical Description — provide what actions were being performed and the result in as much detail as possible including screen shots,
- Sample Code — if possible, provide code that was used in testing to create the vulnerability;
- Reporting’s party Contact Information — best contact details
- Disclosure Plan(s) — current plan to disclose;
- Threat/Risk Assessment and severity rating — contains details of the identified threats and/or risks including a risk level (minor., major, critical)
- Relevant information about connected devices if vulnerability arises during interaction.
Please do not include personal data in your reports, except what is necessary to contact you in line with GDPR compliance.
Participating in this reporting mechanism does not grant you any right to intellectual property owned by Feilo Sylvania or any third party.
Processing the report – Next steps
Once Feilo Sylvania receives your report, Feilo Sylvania will endeavour to acknowledge receipt to all submitted reports within seven days.
Your report it will be processed into our issue tracking system. The severity rating of the report will be considered and allocated a severity rating at Feilo Sylvania’s sole discretion and an appropriate member of the team will contact you to follow-up.
To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via e-mail. Feilo Sylvania will ensure an open dialog to discuss issues and keep you notified at each stage of the investigation.
Feilo Sylvania has full discretion to determine whether to accept a report based on the level of severity or content of the report provided.
Feilo Sylvania thanks you for assistance in identifying a vulnerability, for improving our products and services and contributing to a more secure community.
All aspects of this process are subject to change without notice, as well as to case-by exceptions. No particular level of response is guaranteed for any specific issue or group of issues.
Note there is no financial reward for any reported vulnerability.