Vulnerability disclosure policy

Our product development cycle follows the Secure By Design guidelines, which commit us, among other actions, to (i) systematically identify, analyze, and reduce vulnerabilities in our products; (ii) publish new versions that include security patches for known vulnerabilities; and (iii) publish a Vulnerability Disclosure Policy (VDP).

Our Vulnerability Disclosure Policy authorizes third-party testing of our products and commits us, as the product manufacturers, not to recommend or take legal action against anyone participating in good faith efforts to follow this policy. Additionally, it provides a clear channel for reporting vulnerabilities and allows public disclosure of vulnerabilities in line with international cybersecurity standards' best practices.

Fermax firmly believes that coordinated vulnerability disclosure is mutually beneficial for both the company and the security research community. As hardware/software manufacturers, we rely on the security research community to help us better protect our products. This policy provides security researchers with (i) a reliable framework to work within; and (ii) an open channel for reporting vulnerabilities.

At Fermax, we take security issues very seriously and appreciate feedback from security researchers to improve our products, applications, and cloud services. All vulnerabilities reported through this procedure will be analyzed and addressed, either to mitigate or remediate those issues in our infrastructures and services.
 

Reporting Security Issues

This policy extends to all employees, customers, suppliers, security researchers, and third parties who are aware of any vulnerabilities in Fermax systems and applications.

If you believe you have discovered a vulnerability in a Fermax product or have a security incident to report, please email security@fermax.com or fill out our vulnerability form through the following link: https://www.fermax.com/cybersecurity-report

The reported vulnerability will be directly added to our security task backlog, from where we will track it until resolution.

To facilitate the management of the reported vulnerability, follow up on the case, and clarify any doubts, we ask that you notify us as follows:

  • Name, Surname, and contact email.
  • Affected product/application/service. If applicable, product model and version number.
  • Configuration details of the setup/devices/type of installation used to reproduce the issue.
  • Description of the steps followed to reproduce the issue.Public references (if any).
  • Discovery date.
  • Suggested fix (if any).

Please, use this official channel to report security issues, providing all relevant information. The more details you provide, the easier it will be for us to classify and solve the problem.

Following our Vulnerability Disclosure Policy, we will respond to the indicated contact email once we have analyzed the impact, severity, and complexity of the exploit in the vulnerability report.

While we value any vulnerability you provide, we ask that you refrain from conducting any security research that could harm our users, systems, and services, or corrupt data. Additionally, if you are a researcher and detect a vulnerability affecting sensitive data (e.g., PII or personally identifiable information; financial information; confidential information; or third-party trade secrets), you must suspend testing, immediately notify the vulnerability, and not disclose this data to third parties. If a researcher acts in bad faith, engaging in any activity that violates this procedure or other applicable legislation, they may be subject to criminal or civil liability.

 

Public Disclosure

Fermax will publicly disclose the vulnerability once we have developed and applied the corresponding solutions, provided it does not compromise the security of our users. To demonstrate maximum transparency, each vulnerability report includes a precise Common Vulnerabilities and Exposures (CVE) code, where applicable, including the Common Weakness Enumeration (CWE) and the Common Platform Enumeration (CPE). Additionally, we commit to releasing a CVE as soon as possible for all critical or high-impact vulnerabilities (whether discovered internally or by a third party).

Public disclosure will be carried out in a coordinated and responsible manner, following the best practices of vulnerability disclosure and being published at https://www.fermax.com/security-advisories.

 

Data Protection

In accordance with Regulation (EU) 2016/679, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or ‘GDPR’) and the Spanish Data Protection Legislation (‘LOPDGDD’), we inform that the personal data provided to communicate a vulnerability will be processed by FERMAX ELECTRÓNICA, S.A.U. (‘FERMAX’) as Data Controller, in order to notify you about the resolution of the incident communicated to us.

The legal basis for the processing of the data is established in article 6.1.a) of the GDPR (consent), which is granted when communicating vulnerability.

We also inform you that the personal data provided will not be disclosed to third parties and will only be retained until the vulnerability has been resolved. As the owner of said data, you may exercise your rights of access, rectification, deletion, limitation and opposition to the processing and portability of your data by sending an e-mail to privacidad@fermax.com.

You can find more information about your rights regarding personal data protection within the Spanish Data Protection Agency through the website https://www.aepd.es.
 

Confidentiality

All communications related to vulnerability disclosure will respect the discoverer's identity, keeping it confidential unless otherwise indicated.

 

Review and Update

This policy is periodically reviewed and updated by the information security team to ensure its effectiveness and relevance. We also reserve the right to update it without prior notice.