Vulnerability Disclosure Policy

Fermax Asia Pacific Pte Ltd (Fermax) is committed to ensuring the security of our products and we welcome feedback from security researches in order to improve the security of our products. This policy is intended to give security researchers a clear guideline for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. Please review this policy before attempting to test or report a vulnerability.

Guidelines

We required that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Perform research only within the scope set out below.
  • Use only identified communication channels for vulnerability reporting as stated in this policy.
  • Keep information about any vulnerabilities that you discovered confidential between yourself and Fermax until disclosure is approved by Fermax.
  • Remain communicative and cooperative as we work together through this process.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research related to a vulnerability.
  • Work with you to understand and resolve the issues associated with the vulnerability.

Test Methods

All researchers are to take into account the respect for the law. Vulnerability scanning could not serve as a pretext for attacking a system or any other target and reporting a vulnerability does not imply being exempt from compliance.

Several actions must be avoided. For example:

  • Using social engineering
  • Compromising the system and persistently maintaining access to it
  • Changing the data accessed by exploiting the vulnerability.
  • Using malware
  • Using the vulnerability in any way beyond proving its existence. To demonstrate that the vulnerability exists, the reporter could use non-intrusive methods. For example, listing a system directory.
  • Using brute force to gain access to systems
  • Sharing vulnerability with third parties
  • Performing DoS or DDoS attacks

Vulnerability should be reported as soon as it is detected and must not be exploited in anyway
Reporting a vulnerability

If you believe you’ve found a security vulnerability in one of our products or platforms, please send the Finding report to us by emailing to vida@fermax.com.sg

Please include the following details in your report with regards to the below specific templates.

Hardware:

  1. Product name & hardware model/revision/serial number
  2. Expected correct usage
  3. Actual usage after vulnerability exploit
  4. Steps to reproduce the vulnerability
  5. Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
  6. Configurations of hardware (connections, software, debug connections, etc.)
  7. Example exploit source code (if any)
  8. Finder(s) contact information

Firmware:

  1. Product name & firmware version
  2. Expected correct usage
  3. Actual usage after vulnerability exploit
  4. Steps to reproduce the vulnerability
  5. Risk assessment (impact level finder sees the vulnerability as – High/Med/Low)
  6. System & Hardware configurations (MAC address, etc.)
  7. Example exploit source code (if any)
  8. Finder(s) contact information

Cloud:

  1. Country the finder is from
  2. Time and date of discovery (if known)
  3. Username/email involved in producing the vulnerability
  4. User inputs required to reproduce the vulnerability
  5. Expected correct usage
  6. Actual usage after vulnerability exploit
  7. Steps to reproduce the vulnerability
  8. Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
  9. System configurations (if relevant to vulnerability)
  10. Example exploit source code (if any)
  11. Finder(s) contact information

Application (Android/iOS):

  1. APP name & version
  2. Host Operating System (OS) & OS version
  3. Expected correct usage
  4. Actual usage after vulnerability exploit
  5. Steps to reproduce the vulnerability
  6. Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
  7. System configurations (if relevant to vulnerability)
  8. Example exploit source code (if any)
  9. Finder(s) contact information

Our Actions

Upon receiving your report, we will:

  • Acknowledge your report within seven working days
  • Request for additional information that may be required for us to investigate
  • Seek your cooperation to confirm the existence of the vulnerability
  • Inform you the estimated time we need to resolve the vulnerability and provide a patch to the product(s) involved. Our goal is to fix it within ninety days upon confirmation
  • Provide regular status updates based on our severity classification after doing impact analysis, until the resolution of the reported issues
    -For urgent and critical cases, daily updates will be provided
    -For other cases, weekly updates will be provided
    • Notify you when the fix is complete
    • In appropriate cases, release information of the issue to our consumers or public for awareness and what they can do
    • Conduct an internal review on the shortcomings and improve our processes and products
    wpChatIcon