A leading global manufacturer of light fittings    Engineered in the Austrian Tyrol    A great selection
Select Store
countryflag EN
Africa
Morocco FR
Europe
International EN Greece EL
Turkey TR Kosovo SQ
Romania RO Russia RU
Serbia SR Hungary HU
Latvia LV Lithuania LT
Ukraine UK Deutschland (Germany) DE
España (Spain) ES Nederland (The Netherlands) NL
Portugal PT Schweiz (Switzerland) DE FR IT
France FR Belgium NL FR
Sverige (Sweden) SV Suomi (Finland) FI
Österreich (Austria) DE Italia (Italy) IT
United Kingdom EN Bulgaria BG
Bosnia BS Hrvatska (Croatia) HR
Slovenia SL Polska (Poland) PL
Danmark (Denmark) DA Slovakia SK

Беларусь (Belarus)

Казахстан - Русский (Kazakhstan)

Македонија (Macedonia)
America
Colombia ES USA EN
Canada EN FR Costa Rica ES
Mexico ES Peru ES

Brasil (Brazil)

Chile
Asia & Pacific
India EN China ZH
Australia EN
Africa
Toggle Nav
Search
Search
Close
Menu
Select Store
countryflag EN
Africa Morocco FR
Europe International EN
Greece EL
Turkey TR
Kosovo SQ
Romania RO
Russia RU
Serbia SR
Hungary HU
Latvia LV
Lithuania LT
Ukraine UK
Deutschland (Germany) DE
España (Spain) ES
Nederland (The Netherlands) NL
Portugal PT
Schweiz (Switzerland) DE FR IT
France FR
Belgium NL FR
Sverige (Sweden) SV
Suomi (Finland) FI
Österreich (Austria) DE
Italia (Italy) IT
United Kingdom EN
Bulgaria BG
Bosnia BS
Hrvatska (Croatia) HR
Slovenia SL
Polska (Poland) PL
Danmark (Denmark) DA
Slovakia SK

Беларусь (Belarus)

Казахстан - Русский (Kazakhstan)

Македонија (Macedonia)

America Colombia ES
USA EN
Canada EN FR
Costa Rica ES
Mexico ES
Peru ES

Brasil (Brazil)

Chile

Asia & Pacific India EN
China ZH
Australia EN
Africa
Account

Vulnerability Disclosure Policy EGLO Leuchten GmbH

July 16, 2024

Introduction

This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to us. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it. We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary ewards for vulnerability disclosures.

Authorization

If you make a good faith to identify and report vulnerabilities while complying with this policy, we will consider your research to be authorized and we will work with you to understand and resolve the issue quickly.
EGLO Leuchten GmbH will not recommend or pursue legal action related to your activities of identifying vulnerabilities on our systems as long as you follow the guidelines in this policy.

Scope

This policy gives participants the opportunity to search for potential vulnerabilities in our organisation's systems, equipment and products, including

  • AwoX AwoX Smart CONTROL
  • AwoX AwoX HomeControl App
  • Smart products

with good intentions or to pass on any information they discover about a vulnerability.

Vulnerabilities found in systems from vendors are also excluded from scope and should be reported directly to the vendor according to their own disclosure policy (if applicable).

Reporting

If you believe you have found a security vulnerability, please submit your report to us using the following link/email: privacy@awox.com

In your report, please include details of:

  • The page where the vulnerability can be observed
  • A brief description of the type of vulnerability
  • Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect from us

After you have submitted your report, we will respond to your report within one month working days and aim to triage your report within 180 days. We’ll also aim to keep you informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

Guidelines

You must NOT:

  • Break any applicable law or regulations.
  • Access unnecessary, excessive or significant amounts of data.
  • Modify data in the Organization's systems or services.
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
  • Disrupt the Organization's services or systems.
  • Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
  • Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support.
  • Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
  • Social engineer, ‘phish’ or physically attack the Organization's staff or infrastructure. * Demand financial compensation in order to disclose any vulnerabilities.

You must:

  • Always comply with data protection rules and must not violate the privacy of the Organization’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).