Vulnerability Disclosure Policy

Introduction

Clementoni S.p.A. is committed to ensuring the security and integrity of our systems and data. In alignment with the Public Sector Technology and Innovation (PSTI) Act, we have established this Vulnerability Disclosure Policy (VDP) to provide guidelines for security researchers and the public to report potential vulnerabilities.

Scope

This policy applies to all systems, services, and products owned, operated, or maintained by Clementoni S.p.A. It outlines the processes for reporting vulnerabilities and our commitment to responding to these reports.

Authorization

This policy is authorized under the provisions of the PSTI Act, which mandates that public sector entities establish and maintain a vulnerability disclosure framework to protect critical infrastructure and sensitive information.

Reporting a Vulnerability

If you believe you have discovered a potential security vulnerability in any of our systems, please report it to us using the following process:

1. **Email Submission: ** Send an email to assistenza@clementoni.it with the subject line "Vulnerability Disclosure".
2. **Include Details: ** Provide a detailed description of the vulnerability, including:

*M=Mandatory

*O=Optional

3. **Contact Information: ** Your contact information (name and email address) so we can reach you for further information if necessary. These details are optional to enable anonymous reporting.

What to Expect

- **Acknowledgment: ** We will acknowledge receipt of your report within 2 business days.

- **Assessment: ** Our security team will assess the report to verify the vulnerability.

- **Response: ** We will provide an initial assessment of the vulnerability, including an estimated timeline for resolution, within 30 business days.

- **Credit: ** If you wish to be publicly acknowledged for your discovery, please indicate so in your initial report. We will credit you in our security advisories unless you prefer to remain anonymous.

Good Faith Research

We expect security researchers to:
- Act in good faith to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data.
- Follow this policy and any other relevant agreements or laws.

No Legal Action

To encourage responsible vulnerability research and reporting, we will not take legal action against individuals who:
- Act in accordance with this policy.
- Report vulnerabilities without any malicious intent.
- Avoid actions that could harm our systems, services, or data.

Out of Scope

The following types of activities are out of scope and should not be conducted:
- Denial of Service (DoS) attacks.
- Social engineering or phishing attacks against our staff or users.
- Physical attacks against our offices or data centers.

Commitment to Confidentiality

All information shared with us during vulnerability reporting will be handled confidentially and will not be shared with third parties without the reporter's consent, except as required by law.

Contact Information

For any questions or clarifications regarding this policy, please contact us at:
- Email: assistenza@clementoni.it

- Phone: +39 07175811

Updates to This Policy

This policy may be updated periodically. The latest version will always be available on our official website at en.clementoni.com/pages/vulnerability-disclosure-policy

Acknowledgment

We appreciate the efforts of security researchers who report vulnerabilities to us and help us improve the security of our systems and services. Thank you for your contribution to our security.

By following this policy, you agree to comply with all the outlined procedures and understand our commitment to protecting our systems and data in accordance with the PSTI Act.