Skip to main content

Vulnerability Reporting and Disclosure Policy

Last modified on: 22 April 2024

Daikin Europe N.V. is a fully-owned subsidiary of the Japanese company Daikin Industries Ltd. Daikin Group produces, sells, distributes and executes marketing with regard to air-conditioning, heating, ventilation and refrigeration equipment and solution business, along with its subsidiaries.

This Vulnerability Reporting and Disclosure Policy applies to the following products manufactured and/or supplied by Daikin Europe N.V.:

  • all internet-connectable products and products capable of connecting to such products, in accordance with the conditions specified in the Product Security and Telecommunications Infrastructure Act 2022, made available to consumers in the United Kingdom; and
  • radio equipment (as defined in Directive 2014/53/EU of the European Parliament and of the Council) that can communicate itself over the internet, whether directly or via any other equipment (inter-connected radio equipment) made available and put into service in the member states of the European Union;

(hereinafter referred to as “Products”).

Introduction

Daikin Europe N.V., together with its subsidiaries, (hereinafter referred to as “Daikin Europe”, “we”, “us”, “our”) is committed to ensuring the security and integrity of its Products to safeguard, among others, protection of the data, including personal data1, and privacy of the end-users, as well as preventing any adverse impact on network functionality or misuse of network resources. As part of our commitment to security, we welcome and encourage responsible disclosure of any potential vulnerabilities discovered in our Products. This Vulnerability Reporting and Disclosure Policy outlines the process for reporting security issues to Daikin Europe and our commitment to addressing such issues promptly, effectively and in accordance with the applicable legislation2.

Individuals eligible to report vulnerabilities include, but are not limited to, security researchers, end-users, independent experts, industry partners, and members of the general public. We appreciate the contributions of all stakeholders in helping us ensure security of our Products.

Reporting Vulnerabilities

If you believe you have discovered a security vulnerability —a weakness or exposure that could be exploited to compromise the confidentiality, integrity, availability, operation, or other security properties of our Products — which is impacting any of the following aspects of our Products:

1. Hardware components,

2. Pre-installed software provided when the product is delivered to the customer,

3. Software necessary for the product's intended functionality, including those reliant on: 

3.1. Hardware,

3.2. Pre-installed software at the time of purchase,

3.3. Installable software, or

4. Software utilized for or associated with any intended purposeof the Product;

please report it to us by contacting our dedicated Vulnerability Response Team at vulnerability@daikineurope.com.

 

When reporting a vulnerability, please provide the following information:

  • Model name(s) of the affected Product(s) and/or information allowing to identify the affected Products;
  • Description of the vulnerability, including how it can be identified or reproduced;
  • Potential impact of the vulnerability;
  • Proof-of-concept code or other evidence demonstrating the vulnerability (if applicable);
  • Your contact information (provision of personal data4 is not required).

Acknowledgement of Receipt

Upon receiving a vulnerability report, the Vulnerability Response Team of Daikin Europe will acknowledge the receipt of the report to the individual or entity who submitted the report (hereinafter referred to as the “Reporter”) within 7 calendar days. The acknowledgement will include a tracking number or identifier for reference purposes. If further information is required to investigate the reported vulnerability, the Vulnerability Response Team will communicate this to the Reporter promptly after sending the acknowledge of the receipt to the Reporter.

Investigation 

Daikin Europe is committed to promptly investigating all reported vulnerabilities and taking appropriate action to address them. Our Vulnerability Response Team will coordinate within our organization to ensure that the validity, severity, and scope of each reported vulnerability is properly assessed.

Daikin Europe recognizes the importance of transparency and collaboration in effectively managing reported security vulnerabilities. Consequently, throughout the investigation process, the Vulnerability Response Team will provide regular updates to the Reporter, at least on a monthly basis, on the status of our progress, including any significant findings or further developments.

Remediation

After the vulnerability has been analysed and if a fix is necessary to address it, fixes will be prepared by Daikin Europe and/or its third-party suppliers. Fixes will be designed to address the identified vulnerability without compromising the functionality or usability of the affected Product(s). Once fixes are developed and tested for effectiveness, they will be distributed through regular channels, such as over-the-air updates, firmware updates, software patches, depending on the nature of the vulnerability. If needed, our business partners, including resellers and installers, will be informed of any required actions on their part, such as assisting with the distribution of patches to end-users or providing guidance on patch application.

Following the remediation of reported vulnerabilities, Daikin Europe will conduct post-mortem analyses to evaluate the effectiveness of the response process and identify areas for improvement. Lessons learned from each vulnerability remediation effort will be documented and incorporated into future response procedures to enhance the process of handling reported vulnerabilities.

The reported will be informed of the deployment of fixes and any additional steps taken to mitigate the vulnerability. 

Confidentiality and Disclosure of Reported Vulnerabilities 

Daikin Europe is committed to responsible disclosure of security vulnerabilities to our customers and end-users. Once a vulnerability has been fully investigated, Daikin Europe will determine an appropriate disclosure plan, such as the communication concerning the availability of patches and instructions on how to apply them. The Vulnerability Response Team will inform the Reporter accordingly. Our goal is to ensure that the affected parties are informed about serious security risks and provided with guidance on how to mitigate them.

Daikin Europe acknowledges the inherent risks associated with disclosing vulnerabilities prematurely, and therefore emphasizes to the Reporters that any such disclosure, while the vulnerability remains unresolved, presents a significant security threat, particularly to end-users of the affected Products, including their data and privacy. Premature disclosure could potentially facilitate exploitation by malicious entities. Therefore, we request that Reporters of potential vulnerabilities maintain strict confidentiality and refrain from disclosing any information regarding the suspected vulnerability to third parties, unless expressly authorized in writing by Daikin Europe or mandated by applicable law.

Notice

This Vulnerability Reporting and Disclosure Policy is subject to periodic review and may be updated or amended as necessary to reflect changes in technology, applicable laws, or best practices.

Legal Notice

1 Personal data means any information that can be used to directly or indirectly identify an individual as a natural person. This includes information such as name, surname, personal identification numbers, location, residence address and other similar information.

2 Applicable legislation includes:

- COMMISSION DELEGATED REGULATION (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive

- Product Security and Telecommunications Infrastructure Act 2022 and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 made in exercise of the powers conferred by section 8Cof the European Union (Withdrawal) Act 2018(1), and by sections 1(1), 3(1), 6(1), 9(3)(b) and (6),15(3) and 77(2) of the Product Security and Telecommunications Infrastructure Act 2022(2)

3 Intended purpose means the use for which the Product is intended according to the label, installation and/or operational manuals, and promotional or sales materials of Daikin Europe.

4 If nevertheless provided, any personal data provided by the Reporter will be processed in accordance with our Data Protection Policy.