Vulnerability Disclosure Procedure

About Beko A&NZ Pty Ltd

Beko is an international home appliances business, dedicated to inspiring sustainable lives in every home. Beko A&NZ Pty Ltd is the Australian & New Zealand subsidiary of Beko.

Beko has 55,000 employees worldwide and global operations through its subsidiaries in 58 countries and 45 production facilities in 13 countries (i.e. Türkiye, Italy, Romania, Slovakia, Poland, South Africa, Russia, Pakistan, India, Bangladesh, Thailand, China and Egypt). Beko has 22 brands owned or used with a limited license (Arçelik, Beko, Whirlpool*, Grundig, Hotpoint, Arctic, Ariston*, Leisure, Indesit, Blomberg, Defy, Dawlance, Hitachi*, Voltas Beko, Singer*, ElektraBregenz, Flavel, Bauknecht, Privileg, Altus, Ignis, Polar).

Beko became the largest white goods company in Europe with its market share (based on volumes) and reached a consolidated turnover of 8 billion Euros in 2023. Beko’s 30 R&D and Design Centres & Offices across the globe are home to over 2,300 researchers and hold more than 3,500 international registered patent applications to date. The company has achieved the highest score in the S&P Global Corporate Sustainability Assessment (CSA) in the DHP Household Durables industry for the sixth consecutive year (based on the results dated 22 November 2024) and has been included in the Dow Jones Sustainability Indices for the eighth consecutive year.**

Beko’s vision is ‘Respecting the World, Respected Worldwide.’

*Licensee limited to certain jurisdictions.   

**The data presented belongs to Arçelik A.Ş., a parent company of Beko.

1. Purpose

This Vulnerability Disclosure Procedure (VDP) provides guidelines for the cybersecurity research to improve the security of our networked products, apps, and cloud services.  This VDP also instructs researchers on how to submit discovered vulnerabilities to the the relevant team

2. Overview

We take security issues extremely seriously as Arçelik and welcome feedback from security researches in order to improve the security of our networked products, apps, and cloud services. We operate a procedure of coordinated disclosure for dealing with reports of security vulnerabilities and issues. Vulnerabilities submitted to us under this procedure will be used for defensive purposes to mitigate or remediate vulnerabilities in our networks and services.

Researchers must review and comply with following terms and contidions of this VDP before conducting any research or testing on our networked products, apps and cloud services.

2.1.    Safe Harbor (Legal Authorization)

Arçelik authorizes good-faith security research on in-scope targets under this VDP. If you comply with this policy, we will not pursue or recommend legal action for your research, and we will consider your testing authorized. Testing must remain within reasonable limits, comply with applicable laws and our policy, and avoid actions that could harm users, services, or data. Consult your own legal counsel as needed; Arçelik’s Legal team supports this clause’s intent.

3. Guidelines

3.1. Reporting a Suspected Security Issue

Please send an email to cyber.security@arcelik.com to report discovered a vulnerability in a Arçelik asset / system.

If your discovered vulnerability about one of our IoT products, its related mobile applications or their related cloud services please send your report to psirt@homewhiz.com.

Please share the security issue with us before making it public on message boards, mailing lists, or other forums.

To receive credit, you must be the first to report vulnerability, and you must notify us in accordance with following;

• You should provide basic details of discovered issue, typically;

• Name/type of affected product/app/service, plus specific model number, serial number, etc.

• Any Proof of Concept(POC) setup details

• Description of the steps to reproduce the issue

• Public references if there is any

• The details of system where the tests were conducted

By following the Vulnerability Disclosure Procedure, we will respond to you within a maximum of 5 business days upon receiving the initial report. If the reported security issue will be confirmed by looking at the impact, severity, and exploit the complexity of the vulnerability report; we may ask for your further contribution to resolve the potential vulnerability within 90 days.

3.2. Scope of Vulnerabilities

3.2.0    Out of Scope Targets & Tests

• Tests requiring internal network or VPN access

• Physical intrusion or social engineering of facilities or staff

• Tests that pose safety risk for IoT / white-goods devices

• Third-party infrastructures (e.g., banks, PSPs, logistics providers, SaaS vendors)

• Employees’ personal accounts or devices

• Customer or other third-party accounts

   

3.2.1.       Accepted Vulnerabilities

We are willing to be informed about demonstrated vulnerabilities of medium/high impact, such as authentication/authorization, cryptography, data leakage, and URL redirector abuse.

3.2.2.       Out of Scope Vulnerabilities

• SSL & TLS vulnerabilities related to configuration or version

• Denial of Service (DoS)

• User enumeration/Brute forcing (for example Login and Forgot Password page)

• HTTP Trace method is enabled.

  These qualify if you are able to execute an attack.

• Clickjacking on pages without any authentication and/or sensitive state changes

• Social Engineering/Phishing

• Content spoofing

• Self-XSS. Cross-site scripting issues should be exploitable in reflected, stored or DOM-based types.

• Logout and other instances of low-severity CSRF

• Missing HTTP headers

• Missing cookie flags on cookies

• Password complexity and reset password flow complexity

• Invalid or missing SPF (Sender Policy Framework) records

• Software banner / version disclosure.

  These qualify if you are able to provide an exploitable POC.

• Results of automated tools or scanners

• Autocomplete attribute on web forms

• Vulnerabilities which require a jailbroken device

Although we find every vulnerability that comes from you valuable, we ask you to stay away from any kind of security research that may harm our users, systems and services and has the possibility of data corruption. Also, a researcher determines a vulnerability which includes any sensitive data (including personally identifiable information, financial information, or the proprietary information or trade secrets of any party), they must stop testing, notify relevant e-mail address immediately through our vulnerability submission process, and not disclose this data to anyone else. If a researcher engages in any activities that are inconsistent with this procedure or other applicable law, the researcher may be subject to criminal and/or civil liabilities.

3.3.    Disclosure of Vulnerability

Public disclosure of vulnerabilities approved/processed by us is not permitted under any circumstances.

4.    WHAT YOU CAN EXPECT FROM US

As Arçelik, we will take appropriate steps to mitigate the risk and remediate the reported vulnerabilities by taking into account any vulnerabilities we receive and comply with the guideline.

Arçelik makes a commitment to cooperate with security researcher(s) as transparently and quickly as possible.

If researcher conduct vulnerability disclosure activities in accordance with our guideline and applicable law, Arçelik will not initiate any law enforcement related to such activities.

4.1.    Hall of Fame

We introduce a public “Hall of Fame” page to recognize contributing researchers and encourage responsible disclosure.

Vulnerability Disclosure Hall of Fame

5. QUESTIONS

If you have any questions about the guideline or the process, do not hesitate to contact us:

For Arçelik Asset /System - BilgiGuvenligi@arcelik.com

For IoT Products - psirt@homewhiz.com