The policy below outlines how Bitdefender responsibly handles IoT vulnerability disclosure to product vendors, security vendors, and the public. Bitdefender is committed to notifying the affected vendor of security flaws found in their product or service in a timely and responsible manner. 

Bitdefender will make all reasonable efforts in the attempt to contact the vendor through the available contact methods publicly displayed on the vendor’s website and provide the details of the found vulnerability. 

Policy Definitions

IoT Product – A physical device, integrated with software, that can send and receive information over the internet, or over local network connections.

IoT Vendor – An entity (individual, company, or group) responsible for the production, assembly, or delivery of IoT products to consumers.

IoT Security Testing – The process through which Bitdefender experts have independently tested an IoT Product, both from a hardware and a software perspective, to determine if it is affected by vulnerabilities that could potentially impact users.

IoT Vulnerability – A hardware or software problem, identified in the architecture of a IoT product, that could allow a malicious party to access the device without an authorization, take over the device, access personal information, or use the device for purposes other than which it was intended.

Policy

The three main goals of the Bitdefender IoT Vulnerability Testing Program are: education, prevention, and consumer protection.

• Education refers to helping vendors identify and fix flaws, vulnerabilities and risks in their products and improving their awareness regarding security issues.
• Prevention refers to helping vendors and the IoT community improve their security posture so they can deliver safer products to their customers.
• Consumer protection refers to informing consumers and the information security community about the vulnerabilities and risks of certain IoT Products, which were preferably fixed prior to disclosure, so they can act in their best interest.

Timeline of communication

Initial Contact – Bitdefender will contact an IoT Vendor using the available contact methods publicly displayed on the vendor’s website. During the initial contact, Bitdefender will inform the vendor it has identified vulnerabilities in its products and wants to establish a secure disclosure environment. If Bitdefender does not receive a response from the vendor, it will provide a best effort to contact the vendor again. If all reasonable contact attempts fail, Bitdefender will consider public disclosure.

Notification – Once the vendor has responded to the contact attempt, and a secure communication channel has been established, Bitdefender will officially notify the vendor of the vulnerability it has discovered and will provide all the necessary information describing the issue, so that the vendor can take the right actions to fix the problem

Remediation Timeslot – By default Bitdefender grants vendors 90 days, from notification date, to fix a product vulnerability found during testing. The 90-day period applies to each individual vulnerability found.

Status Updates - The vendor is strongly encouraged to share regular status updates about the actions it’s taking to address the vulnerability.

Timeslot Extension – Bitdefender may consider in its sole discretion an extension of grace period, subject to reasonable evaluation.

No Communication – If the vendor decides to discontinue communication at any point after being notified about a vulnerability, Bitdefender will use the original 90-day deadline for public disclosure.

Fixed Vulnerability – A product vulnerability is considered fixed when the vendor has addressed the indicated problem and Bitdefender no longer considers there’s a security issue putting the consumer at risk.

Public Disclosure – Bitdefender will publicly release its security advisories on its website.