Are you sure you want to clear your comparison?
Continue
Wishlist
Compare
Select your perfect appliance
Find a Retailer
Hero Slider
Hero Slider
beko_statement_of_compliance_banner_1920x300
beko_statement_of_compliance_banner_750x1200

Vulnerability Disclosure Procedure

 

 

About Beko A&NZ Pty Ltd

Beko is an international home appliances business, dedicated to inspiring sustainable lives in every home. Beko A&NZ Pty Ltd is the Australian & New Zealand subsidiary of Beko.

Beko has 55,000 employees worldwide and global operations through its subsidiaries in 58 countries and 45 production facilities in 13 countries (i.e. Türkiye, Italy, Romania, Slovakia, Poland, South Africa, Russia, Pakistan, India, Bangladesh, Thailand, China and Egypt). Beko has 22 brands owned or used with a limited license (Arçelik, Beko, Whirlpool*, Grundig, Hotpoint, Arctic, Ariston*, Leisure, Indesit, Blomberg, Defy, Dawlance, Hitachi*, Voltas Beko, Singer*, ElektraBregenz, Flavel, Bauknecht, Privileg, Altus, Ignis, Polar).

Beko became the largest white goods company in Europe with its market share (based on volumes) and reached a consolidated turnover of 8 billion Euros in 2023. Beko’s 30 R&D and Design Centres & Offices across the globe are home to over 2,300 researchers and hold more than 3,500 international registered patent applications to date. The company has achieved the highest score in the S&P Global Corporate Sustainability Assessment (CSA) in the DHP Household Durables industry for the sixth consecutive year (based on the results dated 22 November 2024) and has been included in the Dow Jones Sustainability Indices for the eighth consecutive year.**

Beko’s vision is ‘Respecting the World, Respected Worldwide.’

*Licensee limited to certain jurisdictions.   

**The data presented belongs to Arçelik A.Ş., a parent company of Beko.

 

 

1. Purpose

This Vulnerability Disclosure Procedure (VDP) provides guidelines for cybersecurity research to improve the security of our networked products, apps, and cloud services. This VDP also instructs researchers on how to submit discovered vulnerabilities to the relevant team.

 

 

2. Overview

We take security issues extremely seriously at Arçelik and welcome feedback from security research to improve the security of our networked products, apps, and cloud services. We operate a procedure of coordinated disclosure for dealing with reports of security vulnerabilities and issues. Vulnerabilities submitted to us under this procedure will be used for defensive purposes to mitigate or remediate vulnerabilities in our networks and services.

Researchers must review and comply with the following terms and conditions of this VDP before conducting any research or testing on our networked products, apps and cloud services.

 

 

3. Guidelines

 

3.1. Reporting a Suspected Security Issue

Please send an email to BilgiGuvenligi@arcelik.com or informationsecurity@arcelik.com to report a discovered vulnerability in an Arçelik asset/system.

If your discovered vulnerability is about one of our IoT products, is related to mobile applications or their related cloud services please send your report to psirt@homewhiz.com.

Please share the security issue with us before making it public on message boards, mailing lists, or other forums.

To receive credit, you must be the first to report a vulnerability, and you must notify us in accordance with the following:

You should provide basic details of the discovered issue, typically;

  • Name/type of affected product/app/service, plus specific model number, serial number, etc.
  • Any Proof of Concept(POC) setup details
  • Description of the steps to reproduce the issue
  • Public references if there are any
  • The details of the system where the tests were conducted

By following the Vulnerability Disclosure Procedure, we will respond to you within a maximum of 48 business hours of receiving the initial report. If the reported security issue will be confirmed by looking at the impact, severity, and exploit the complexity of the vulnerability report; we may ask for your further contribution to resolve the potential vulnerability within 90 days.

 

3.2. Scope of Vulnerabilities

 

3.2.1. Accepted Vulnerabilities

We are willing to be informed about demonstrated vulnerabilities of medium/high impact, such as authentication/authorization, cryptography, data leakage, and URL redirector abuse.

 

3.2.2. Out of Scope Vulnerabilities

  • SSL vulnerabilities related to configuration or version
  • Denial of Service (DoS)
  • User enumeration/Brute forcing (for example Login and Forgot Password page)
  • HTTP Trace method is enabled.
    These qualify if you are able to execute an attack.
  • Clickjacking on pages without any authentication and/or sensitive state changes
  • Social Engineering/Phishing
  • Content spoofing
  • Self-XSS. Cross-site scripting issues should be exploitable in reflected, stored or DOM-based types.
  • Logout and other instances of low-severity CSRF
  • Missing HTTP headers
  • Missing cookie flags on cookies
  • Password complexity and reset password flow complexity
  • Invalid or missing SPF (Sender Policy Framework) records
  • Software banner/version disclosure.
    These qualify if you are able to provide an exploitable POC.
  • Results of automated tools or scanners
  • Autocomplete attribute on web forms
  • Vulnerabilities which require a jailbroken device

Although we find every vulnerability that comes from you valuable, we ask you to stay away from any kind of security research that may harm our users, systems and services and has the possibility of data corruption. Also, if a researcher determines a vulnerability which includes any sensitive data (including personally identifiable information, financial information, or the proprietary information or trade secrets of any party), they must stop testing, notify the relevant e-mail address immediately through our vulnerability submission process, and not disclose this data to anyone else. If a researcher engages in any activities that are inconsistent with this procedure or other applicable laws, the researcher may be subject to criminal and/or civil liabilities.

 

3.3. Disclosure of Vulnerability

Public disclosure of vulnerabilities approved/processed by us is not permitted under any circumstances.

 

 

4. What you can expect from us

As Arçelik, we will take appropriate steps to mitigate the risk and remediate the reported vulnerabilities by taking into account any vulnerabilities we receive and complying with the guideline.

Arçelik commits to cooperating with security researcher(s) as transparently and quickly as possible.

If the researcher conducts vulnerability disclosure activities in accordance with our guidelines and applicable law, Arçelik will not initiate any law enforcement related to such activities.

 

 

5. QUESTIONS

If you have any questions about the guideline or the process, do not hesitate to contact us:

BilgiGuvenligi@arcelik.com for Arçelik Asset /System

psirt@homewhiz.com for IoT products

Beko

Our parent company, Beko has 55,000 employees throughout the world with its global operations through its subsidiaries in 57 countries and 45 production facilities in 13 countries

(i.e. Türkiye, UK, Italy, Romania, Slovakia, Poland, South Africa, Russia, Pakistan, India, Bangladesh, Thailand and China).

Beko became the largest white goods company in Europe with its market share (based on volumes). Beko’s 31 R&D and Design Centers & Offices across the globe

are home to over 2,300 researchers and hold more than 3,500 international registered patent applications to date.