Back

Vulnerability disclosure policy

Introduction

Since security is of critical importance to us and to our customers, we at ISEO Serrature are committed to ensuring the safety and security of our products and services. ISEO Serrature supports coordinated vulnerability disclosure and encourages responsible vulnerability testing, we take any reports of potential security vulnerabilities seriously.

To report a potential security vulnerability, please follow the steps described in the “Reporting procedure” section.

Reporting procedure

  • Submit the Vulnerability Report at psirt@iseo.com.
  • Use our PGP public key to encrypt any email submissions.
  • Write the Vulnerability Report in English.
  • Provide sufficient contact information, such as: a. your email; b. name of the person who found the vulnerability.
  • Provide information about the vulnerability: a. date when the vulnerability has been detected; b. details about how it has been discovered; c. a technical description of the vulnerability.
  • Provide as much information as you can on the product or service affected by the vulnerability, like: a. version number (hardware and software); b. configuration of the setup used.
  • If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such and is encrypted with our PGP key.
  • If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information.

Internal assessment and action

  1. ISEO Serrature will acknowledge receiving your Vulnerability Report within 3 business days
    • If the Vulnerability Report contains all the required information, ISEO Serraure will provide a unique tracking number and a contact person;
    • If the Vulnerability Report is not complete (more information is needed), ISEO Serrature will request you the missing information, and no more action will be taken.
  2. ISEO Serrature will start an internal Vulnerability Management Process to manage the reported vulnerability:
    • Vulnerability Identification;
    • Vulnerability Triage;
    • Vulnerability Assessment;
    • Vulnerability Addressing.
  3. ISEO Serrature will monitor the status of the Vulnerability Management Process, and you will receive a communication at the end of each stage.
  4. ISEO Serrature will use existing customer notification processes to manage the release of patches or security fixes, which may include without limitation and at ISEO Serrature’s sole discretion, direct customer notification or public release of an advisory notification on our website.
  5. If the vulnerability is actually in a third party component or service which is part of our product/service, ISEO Serrature will notify the Vulnerability Report to that third party and advise you of that notification. To that end, please inform us in your email whether it is permissible in such cases to provide your contact information to the third party.

Notice

If you share any information with ISEO Serrature in the context of responsible disclosure, you are agreeing that the information you submit will be considered as non-proprietary and non-confidential. ISEO Serrature is allowed to use shared information, or part of it, without any restriction. You agree that submitting information does not create any rights for you or any obligation for ISEO Serrature. Personal data is processed by ISEO Serrature based on the privacy policy.

© 2023 ISEO Serrature S.p.A. All right reserved
P.IVA C.F. N.Reg.Imprese BS 08499190018 | Cap.Soc.Deliberato € 24.340.965 | Cap.Soc.Sottoscritto e Versato € 23.969.040 | C.C.I.A.A. Brescia N.REA 447181 |. Mecc. BS 083839 | SDI CODE SN4CSRI