Vulnerability Disclosure Policy Guidance
At Hisense USA Corporation, security and privacy issues are important to us. We are committed to ensuring the security of information and data entrusted to us by people who use our products and services.
This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to us. We recommend you to read this policy fully before you report a vulnerability and always acting in compliance with it.
We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.
If you believe you have found a security vulnerability, please follow the philosophy of Responsible Disclosure under this policy and submit your report to us using the following link/email: www.hisense-usa.com/contact
In your report please include:
Where and when the vulnerability is observed, such as the type of products or services and website address.
The potential weakness you observed (e.g. CWE) (optional)
The severity of the vulnerability (e.g. CVSS v3.0) (optional)
Title of the vulnerability (mandatory)
A description of the vulnerability, including a brief summary, supporting documents, and possible mitigations or your recommendations (mandatory)
Potential impact of exploitation (what could an attacker do?) (mandatory)
Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps us to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
Your sufficient contact information that can allow us to get in touch with you regarding your vulnerability report
What to expect
After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We'll also aim to keep you informed of our progress.
Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
Please keep information about the vulnerability in your report confidential until we have a solution in place.
Once your vulnerability has been resolved, we welcome requests to disclose your report. As a part of responsible disclosure, we request you to work with us on a mutual agreement on public release for information on the vulnerabilities you discovered and reported. Please coordinate with us on any public release.
You must NOT:
Violate any applicable laws or regulations.
Access unnecessary, excessive or significant amounts of data.
Modify data in our systems or services.
Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
Disrupt our services or systems.
Create uncessary security risk.
Use any vulnerabilities for commercial or business purpose.
Product Support Policy Overview:
We do our best to provide continuous security updates for our Hisense brand TV products. The security updates generally include the latest security patches, security vulnerability fixes, and other security improvements. We will maintain the security updates for at least 2 years from the launch day of certain device models.