Vulnerability management policy

Our product development cycle follows the Secure By Design guidelines, which commit us, among other actions, to (i) systematically identify, analyze, and reduce vulnerabilities in our products; (ii) publish new versions that include security patches for known vulnerabilities; (iii) disclose the vulnerabilities found; and (iv) publish a Vulnerability Management Policy.

 

Reporting Security Issues

Our Vulnerability Management Policy authorizes third-party to conduct security testing on our products and commits us, as manufacturers, to not to recommend or take legal action against anyone participating in good faith efforts to follow this policy. Furthermore, we commit to providing a clear and open channel for third parties to report potential vulnerabilities, as well as to disclose vulnerabilities along with their mitigation and/or resolution measures. All in line with the best practices of international cybersecurity standards.

At Fermax, we take security issues very seriously and appreciate feedback from security researchers. For us, they are a way to improve our products, applications, and cloud services. All vulnerabilities reported to us through this official procedure will be analyzed and addressed, either to mitigate or remediate those issues in our infrastructures and services.

If you believe you have discovered a vulnerability in a Fermax product or have a security incident to report, please email security@fermax.com or fill out our vulnerability form, available through the following link:

https://www.fermax.com/cybersecurity-report

The reported vulnerability will be directly added to our security task backlog, from where we will track it until resolution.

To facilitate the management of the reported vulnerability, follow up on the case, and clarify any doubts, we need the following information:

  • Name, Surname, and contact email.
  • Affected product/application/service. If applicable, product model and version number.
  • Configuration details of the setup/devices/type of installation used to reproduce the issue.
  • Description of the steps followed to reproduce the issue.
  • Public references (if any).
  • Discovery date.
  • Suggested fix (if any).

It is important that the researcher uses this official channel to report security issues, providing all relevant information. The more details provided, the easier it will be for us to classify and resolve the problem.

Following our Vulnerability Management Policy, we will respond to the contact email provided with confirmation of receipt, and again once we have analyzed the impact, severity, and complexity of the exploit in the vulnerability report.

While we value any vulnerability you provide, we ask that third parties refrain from conducting any type of security research that could harm our users, systems, and services, or corrupt data.

Additionally, if you are a researcher and detect a vulnerability affecting sensitive data (e.g., PII or personally identifiable information; financial information; confidential information; or third-party trade secrets), you must suspend testing, immediately notify the vulnerability, and not disclose this data to third parties. If a researcher acts in bad faith, engaging in any activity that violates this procedure or other applicable legislation, they may be subject to criminal or civil liability.

All communications related to vulnerability disclosure will respect the discoverer's identity, keeping it confidential unless otherwise indicated.

Vulnerability Management

Reported vulnerabilities are classified according to the Common Vulnerability Scoring System (CVSS). CVSS is the de facto global standard used to assess the severity of vulnerabilities. Under this standard, vulnerabilities are classified as follows:

  • CVSS v4.0 High/Critical (7.0 – 10.0)
  • CVSS v4.0 Low/Medium (0.1 – 6.9)

The remediation priority of a reported vulnerability will be assessed by FERMAX, taking into account, among other factors, its potential impact, severity level, exploitation complexity, and the potential consequences for both customers and the organisation's operations. In the event of receiving multiple vulnerability reports in succession, their assessment or resolution may require additional time on the part of FERMAX.

Vulnerabilities classified as High/Critical will be prioritised for immediate treatment, with a target remediation period of no more than thirty (30) calendar days from their identification, unless justified technical limitations exist.

The remediation timeframe for each vulnerability will be determined according to the associated risk level and may be adjusted based on, among other factors:

  • the availability of known exploits;
  • the degree of exposure of the affected system (for example, Internet-facing or restricted to local environments);
  • the criticality of the affected asset; and
  • the potential impact on customers, products, or services.

In cases where these remediation timeframes cannot be met due to external dependencies, product stability considerations, or the need for additional validation, FERMAX may:

  • implement temporary mitigation measures; and/or
  • schedule the fix for a future release of the affected product or system.

Vulnerabilities classified as Low/Medium generally have less significant security implications, either because they require prior privileged access or because they have a limited impact on the confidentiality, integrity, or availability of products or systems. In such cases, FERMAX may address the vulnerability as part of a future scheduled release within a reasonable timeframe, where deemed necessary.

In all cases, FERMAX will notify the reporter once the reported vulnerability has been remediated and may request the reporter's cooperation in confirming that the implemented solution adequately addresses the identified vulnerability.

We also inform you that the status of the vulnerability management process may be requested at any time. However, we kindly ask that such enquiries are not made more frequently than once every thirty (30) days, in order to allow the responsible teams to focus on analysis and remediation activities.
 

Support and Security Updates

We provide technical support, security updates, and enhancements throughout the life cycle of our products, from launch, through their useful life, and for an extended period after the discontinuation of our products.

Software/Services Support

Support for our software and services remains active for up to 5 years after the linked product's end-of-life (EOL) date. After this period, we will cease to offer security updates, technical support, and enhancements.

Firmware and Hardware Support

Physical devices and their associated firmware receive security updates and bug fixes for up to 5 years from their EOL date, provided the device allows it.

Mobile Applications

Our mobile applications receive support and updates until the discontinuation of the product. However, it is important to note that Fermax is only responsible for the app developed by our teams, and not for the operating system of the mobile devices on which our apps run. It is the user's responsibility to keep the operating system of their mobile device updated.

You can consult our Compatibility and Support Policy for Android / iOS Operating System Versions through the following link:

https://soporte.fermax.com/portal/en/kb/articles/minimum-android-and-ios-versions-supported-for-our-apps .

 

Public Disclosure

Fermax will publicly disclose the vulnerability once we have developed and applied remedies for them, and as long as it does not compromise the security of our users. To demonstrate maximum transparency, each vulnerability report includes a precise Common Vulnerabilities and Exposures (CVE) code, where applicable, including the Common Weakness Enumeration (CWE) and the Common Platform Enumeration (CPE). Additionally, we commit to releasing a CVE as soon as possible for all critical or high-impact vulnerabilities (whether discovered internally or by a third party).

Public disclosure will be carried out in a coordinated and responsible manner, following the best practices of vulnerability disclosure and being published at https://www.fermax.com/security-advisories.

 

Data Protection

In accordance with Regulation (EU) 2016/679, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or ‘GDPR’) and the Spanish Data Protection Legislation (‘LOPDGDD’), we inform that the personal data provided to communicate a vulnerability will be processed by FERMAX ELECTRÓNICA, S.A.U. (‘FERMAX’) as Data Controller, in order to notify you about the resolution of the incident communicated to us.

The legal basis for the processing of the data is established in article 6.1.a) of the GDPR (consent), which is granted when communicating vulnerability.

We also inform you that the personal data provided will not be disclosed to third parties and will only be retained until the vulnerability has been resolved. As the owner of said data, you may exercise your rights of access, rectification, deletion, limitation and opposition to the processing and portability of your data by sending an e-mail to privacidad@fermax.com.

You can find more information about your rights regarding personal data protection within the Spanish Data Protection Agency through the website https://www.aepd.es.

 

Review and Update

This policy is periodically reviewed and updated by the information security team to ensure its effectiveness and relevance. We also reserve the right to update it without prior notice.