DEVIALETVulnerability Policy Disclosure
This policy delineates the procedures and guidelines for Devialet concerning the investigation, identification, public disclosure, and resolution of common vulnerabilities and exposures impacting our products and services and that have been notified to Devialet. Devialet is dedicated to safeguarding the data and privacy of our clientele through the expeditious and effective management of vulnerability research. It is incumbent upon security researchers to adhere to this coordinated disclosure policy when identifying security vulnerabilities. This policy is applicable to entities that discover or disclose vulnerabilities in our products and is formulated based on and makes reference to methodologies outlined in ETSI 300 645 and ISO 29147:2018.
Terms and Conditions:
Under this policy, vulnerability research denotes activities wherein security researchers:
Notify Devialet promptly upon the discovery of any actual or potential security vulnerability.
Endeavor in good faith to prevent privacy infringements, uphold user experience, forestall disruptions to operational systems, and safeguard against data destruction or manipulation. Any security testing that contravenes the law may prompt criminal or legal scrutiny. Refer to the Legal Issues and Protections section.
Maintain the confidentiality of vulnerabilities during the coordinated disclosure timeframe of 90 calendar days, while affording Devialet a reasonable duration to rectify the issue before public disclosure.
Coverage of Vulnerabilities:
This policy encompasses all vulnerabilities within Devialet's interconnected products, platforms, and controlling mobile applications, including those in firmware, mobile applications, and cloud services.
Services not explicitly listed above, such as any connected services, are beyond the scope and are not sanctioned for testing by Devialet. Furthermore, vulnerabilities detected in systems from our providers lie outside the purview of this policy and should be directly reported to the respective provider in accordance with their disclosure policy (if any). Should uncertainty persist regarding a system’s inclusion in scope, please contact us. Security researchers should refer to the external vulnerability disclosure policies of any third-party interconnected service to ascertain the authorized testing scope of said services.
Services not explicitly listed above, such as any connected services, are beyond the scope and are not sanctioned for testing by Devialet. Furthermore, vulnerabilities detected in systems from our providers lie outside the purview of this policy and should be directly reported to the respective provider in accordance with their disclosure policy (if any). Should uncertainty persist regarding a system’s inclusion in scope, please contact us. Security researchers should refer to the external vulnerability disclosure policies of any third-party interconnected service to ascertain the authorized testing scope of said services.
Reporting Vulnerabilities:
We advocate for the responsible disclosure of vulnerabilities to Devialet. Reports may be submitted anonymously. Vulnerabilities can be reported through this with the subject line “Vulnerability Report”.
Description of the issue and its potential ramifications
Affected product(s) and software version(s)
Instructions for reproducing the issue
Proof-of-concept
Recommended mitigation or remediation actions, as applicable
Reports should encompass comprehensive information. The following details will aid in expediting the evaluation process:
What You Can Expect From Devialet:
Upon reporting a vulnerability, external parties can anticipate acknowledgment of their report within five business days. We will provide regular updates on the status of reports every 2-3 weeks throughout the resolution process, including notification upon successful remediation of the vulnerability. We will assign a severity level to the vulnerability and prioritize it based on the potential risk to our clientele’s data and privacy.
Acknowledgments:
Although we do not currently operate a bug bounty program for external security researchers, we are grateful for contributions that help us improve our security.
Legal Issues and Protections:
We are committed to safeguarding individuals who report vulnerabilities in good faith. Legal action will not be pursued against individuals adhering to this policy. Unless explicit acknowledgement is requested by the reporter, we will maintain the confidentiality of their identity unless otherwise mandated by law.
Last Updated : 15 April 2024
Last Updated : 15 April 2024
Devialet security updates
In accordance with the applicable security requirements set out in Schedule 1 to the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, Devialet undertakes to support security vulnerability updates according to the schedule below for the listed products.
Product name
Phantom IDialog
Expert Pro
Phantom II
Arch
Devialet Dione
Devialet Mania
Devialet Gemini
Devialet Gemini II
Security release period
31 March 202531 March 2025
31 March 2025
31 March 2025
31 March 2025
31 March 2025
30 November 2026
31 March 2025
31 March 2025
