Vulnerability management policy
Our product development cycle follows the Secure By Design guidelines, which commit us, among other actions, to (i) systematically identify, analyze, and reduce vulnerabilities in our products; (ii) publish new versions that include security patches for known vulnerabilities; (iii) disclose the vulnerabilities found; and (iv) publish a Vulnerability Management Policy.
Reporting Security Issues
Our Vulnerability Management Policy authorizes third-party to conduct security testing on our products and commits us, as manufacturers, to not to recommend or take legal action against anyone participating in good faith efforts to follow this policy. Furthermore, we commit to providing a clear and open channel for third parties to report potential vulnerabilities, as well as to disclose vulnerabilities along with their mitigation and/or resolution measures. All in line with the best practices of international cybersecurity standards.
At Fermax, we take security issues very seriously and appreciate feedback from security researchers. For us, they are a way to improve our products, applications, and cloud services. All vulnerabilities reported to us through this official procedure will be analyzed and addressed, either to mitigate or remediate those issues in our infrastructures and services.
If you believe you have discovered a vulnerability in a Fermax product or have a security incident to report, please email security@fermax.com or fill out our vulnerability form, available through the following link:
https://www.fermax.com/cybersecurity-report
The reported vulnerability will be directly added to our security task backlog, from where we will track it until resolution.
To facilitate the management of the reported vulnerability, follow up on the case, and clarify any doubts, we need the following information:
- Name, Surname, and contact email.
- Affected product/application/service. If applicable, product model and version number.
- Configuration details of the setup/devices/type of installation used to reproduce the issue.
- Description of the steps followed to reproduce the issue.
- Public references (if any).
- Discovery date.
- Suggested fix (if any).
It is important that the researcher uses this official channel to report security issues, providing all relevant information. The more details provided, the easier it will be for us to classify and resolve the problem.
Following our Vulnerability Management Policy, we will respond to the contact email provided with confirmation of receipt, and again once we have analyzed the impact, severity, and complexity of the exploit in the vulnerability report.
While we value any vulnerability you provide, we ask that third parties refrain from conducting any type of security research that could harm our users, systems, and services, or corrupt data.
Additionally, if you are a researcher and detect a vulnerability affecting sensitive data (e.g., PII or personally identifiable information; financial information; confidential information; or third-party trade secrets), you must suspend testing, immediately notify the vulnerability, and not disclose this data to third parties. If a researcher acts in bad faith, engaging in any activity that violates this procedure or other applicable legislation, they may be subject to criminal or civil liability.
All communications related to vulnerability disclosure will respect the discoverer's identity, keeping it confidential unless otherwise indicated.
Vulnerability Management
Discovered vulnerabilities are classified under the Common Vulnerability Scoring System (CVSS). CVSS is de facto standard used globally to assess the criticality of vulnerabilities. Based on this standard and their relevance, we establish the following response criteria:
CVSS v4.0 High/Critical (7.0 – 10.0)
Fermax aims to resolve high or critical vulnerabilities within a maximum of 30 days from the time they are internally discovered or reported to the company. For components or solutions manufactured or developed by third parties, the lead-time is usually longer, as obtaining information, patches, and/or verification depends on external sources.
CVSS v4.0 Low/Medium (0.1 – 6.9)
Vulnerabilities with a low or medium score typically have less significant consequences for product security, as they require prior privileged access or have a limited impact on confidentiality, integrity, or availability. Therefore, Fermax may resolve the vulnerability eventually as part of a scheduled future release if deemed necessary.
Resolving a vulnerability involves applying a security patch or mitigating it by disabling/replacing the affected component.
Support and Security Updates
We provide technical support, security updates, and enhancements throughout the life cycle of our products, from launch, through their useful life, and for an extended period after the discontinuation of our products.
Software/Services Support
Support for our software and services remains active for up to 5 years after the linked product's end-of-life (EOL) date. After this period, we will cease to offer security updates, technical support, and enhancements.
Firmware and Hardware Support
Physical devices and their associated firmware receive security updates and bug fixes for up to 5 years from their EOL date, provided the device allows it.
Mobile Applications
Our mobile applications receive support and updates until the discontinuation of the product. However, it is important to note that Fermax is only responsible for the app developed by our teams, and not for the operating system of the mobile devices on which our apps run. It is the user's responsibility to keep the operating system of their mobile device updated.
You can consult our Compatibility and Support Policy for Android / iOS Operating System Versions through the following link:
Public Disclosure
Fermax will publicly disclose the vulnerability once we have developed and applied remedies for them, and as long as it does not compromise the security of our users. To demonstrate maximum transparency, each vulnerability report includes a precise Common Vulnerabilities and Exposures (CVE) code, where applicable, including the Common Weakness Enumeration (CWE) and the Common Platform Enumeration (CPE). Additionally, we commit to releasing a CVE as soon as possible for all critical or high-impact vulnerabilities (whether discovered internally or by a third party).
Public disclosure will be carried out in a coordinated and responsible manner, following the best practices of vulnerability disclosure and being published at https://www.fermax.com/security-advisories.
Data Protection
In accordance with Regulation (EU) 2016/679, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or ‘GDPR’) and the Spanish Data Protection Legislation (‘LOPDGDD’), we inform that the personal data provided to communicate a vulnerability will be processed by FERMAX ELECTRÓNICA, S.A.U. (‘FERMAX’) as Data Controller, in order to notify you about the resolution of the incident communicated to us.
The legal basis for the processing of the data is established in article 6.1.a) of the GDPR (consent), which is granted when communicating vulnerability.
We also inform you that the personal data provided will not be disclosed to third parties and will only be retained until the vulnerability has been resolved. As the owner of said data, you may exercise your rights of access, rectification, deletion, limitation and opposition to the processing and portability of your data by sending an e-mail to privacidad@fermax.com.
You can find more information about your rights regarding personal data protection within the Spanish Data Protection Agency through the website https://www.aepd.es.
Review and Update
This policy is periodically reviewed and updated by the information security team to ensure its effectiveness and relevance. We also reserve the right to update it without prior notice.