Skip to main content

Daikin Europe Group Vulnerability Reporting and Disclosure Policy

Last modified on: 03 February 2025

Introduction

Daikin Europe N.V. (“DENV”) is a fully-owned subsidiary of the Japanese company Daikin Industries Ltd. Daikin Group produces, sells, distributes and executes marketing of air-conditioning, heating, ventilation and refrigeration equipment and solution business, along with its subsidiaries.

Daikin Europe N.V. together with its subsidiaries (hereinafter referred to as “Daikin Europe Group”) is committed to ensuring the security and integrity of its products, systems, services, and applications (hereinafter, the “Assets”) to safeguard, among other things, the protection of data, including personal data, and the privacy of end-users, as well as preventing any adverse impact on network functionality or misuse of network resources.

Purpose of this policy

The purpose of this policy is to:

  1. encourage responsible disclosure of any potential vulnerabilities discovered in Daikin Europe Group’s Assets, and
  2. establish a process for reporting security issues to Daikin Europe Group and addressing such issues promptly, effectively and in accordance with the applicable legislation².

Target audience

Individuals eligible to report vulnerabilities include, but are not limited to, security researchers, end-users, independent experts, industry partners, and members of the general public (hereinafter, the “Reporter”). Daikin Europe Group recommends reading this vulnerability disclosure policy fully before reporting a vulnerability and always acting in compliance with it.

Daikin Europe Group appreciates the contributions of all stakeholders in helping Daikin Europe Group to ensure the security of Assets. However, Daikin Europe Group does not offer monetary rewards for vulnerability disclosures.

Scope

This Vulnerability Reporting and Disclosure Policy applies to any Assets that, if compromised, could potentially harm Daikin Europe Group

or impact its operations. This includes, but is not limited to, all products manufactured and/or supplied by Daikin Europe Group, as well as digital assets, third-party applications, and IT infrastructure utilized within Daikin Europe Group’s business environment.

Reporting

In case of discovery of a security vulnerability, please submit it to Daikin Europe Group using the following address: vulnerability@daikineurope.com

When reporting a vulnerability, please provide the following information:

  • Model name(s) or identifier(s) of the affected Assets and/or information allowing identification of the affected Assets;
  • Description of the vulnerability, including how it can be identified or reproduced;
  • Potential impact of the vulnerability;
  • Proof-of-concept code (if available) or other evidence demonstrating steps to reproduce the vulnerability;
  • the Reporter’s contact information (provision of personal data4 is not required).

Acknowledgement of receipt

Upon receiving a vulnerability report, the Vulnerability Response Team of Daikin Europe Group will acknowledge the receipt of the report to the Reporter within 7 business days.

The acknowledgement will include a tracking number or identifier for reference purposes. If further information is required to investigate the reported vulnerability, the Vulnerability Response Team will communicate this to the Reporter.

Investigation

Daikin Europe Group’s Vulnerability Response Team will investigate within the organization to ensure that the validity, severity, and scope of each reported vulnerability is properly assessed.

Daikin Europe Group recognizes the importance of transparency and collaboration in effectively managing reported security vulnerabilities. Consequently, throughout the investigation process, the Vulnerability Response Team will provide regular updates to the Reporter, on the status of its progress, including any significant findings or further developments.

Remediation

If Daikin Europe Group deems necessary to address and resolve a vulnerability by applying a patch, configuration change, or other remediation measure (a "fix" or "fixes") to eliminate or mitigate the risk, Daikin Europe Group and/or its third-party suppliers will prepare the fixes. Fixes will be designed to address the identified vulnerability without compromising the functionality or usability of the affected Assets.

Once fixes are developed and tested for effectiveness, they will be distributed through regular channels, such as over-the-air updates, firmware updates, software patches, depending on the nature of the vulnerability. If needed, Daikin Europe Group’s business partners, including resellers and installers, will be informed of any required actions on their part, such as assisting with the distribution of patches to end-users or providing guidance on patch application.

Following the remediation of reported vulnerabilities, Daikin Europe Group will conduct post-mortem analyses to evaluate the effectiveness of the response process and identify areas for improvement. Lessons learned from each vulnerability remediation effort will be documented and incorporated into future response procedures to enhance the process of handling reported vulnerabilities.

The reported will be informed of the deployment of fixes and any additional steps taken to mitigate the vulnerability.

Confidentiality and disclosure of reported vulnerabilities

Daikin Europe Group is committed to responsible disclosure of security vulnerabilities to its customers and end-users. Once a vulnerability has been fully investigated, Daikin Europe Group will determine an appropriate disclosure plan, such as the communication concerning the availability of fixes and instructions on how to apply them. The Vulnerability Response Team will inform the Reporter accordingly. The goal is to ensure that the affected parties are informed about serious security risks and provided with guidance on how to mitigate them.

Daikin Europe Group acknowledges the inherent risks associated with disclosing vulnerabilities prematurely and, therefore, emphasizes to the Reporters that any such disclosure, while the vulnerability remains unresolved, presents a significant security threat, particularly to end-users of the affected Assets.

Premature disclosure could potentially facilitate exploitation by malicious entities. Therefore, Daikin Europe Group requests that Reporters of potential vulnerabilities maintain strict confidentiality and refrain from disclosing any information regarding the suspected vulnerability to third parties, unless expressly authorized in writing by Daikin Europe Group or mandated by applicable law.

Ethical hacking guidelines

What a Reporter MUST NOT do:

  • Illegal activity: Avoid any actions that violate applicable laws or regulations.
  • Excessive data access: Limit data access to what is necessary for the research.
  • Data modification: Refrain from altering any data within the organization's systems.
  • Destructive testing: Avoid using tools that could damage or disrupt the organization's systems.
  • Denial-of-service attacks: Do not attempt to overload or disable services.
  • Disruptive behaviour: Refrain from actions that could interfere with the organization's operations.
  • Trivial or non-exploitable vulnerabilities: Do not report vulnerabilities that cannot be exploited or are minor configuration issues.
  • Weak TLS configuration: Avoid reporting vulnerabilities related to weak TLS configurations unless they pose a significant security risk.
  • Unauthorized communication: Do not disclose vulnerabilities to anyone other than the designated security team or through the specified channels.
  • Social engineering or physical attacks: Do not attempt to deceive or physically harm the organization's staff or infrastructure.
  • Extortion: Do not demand payment for disclosing vulnerabilities.

What a Reporter MUST do:

  • Data protection: Respect the privacy of Daikin Europe Group’s users and staff.
  • Data security: Securely store any data obtained during the research.
  • Timely data deletion: Delete data immediately, as soon as it's no longer needed. In exceptional circumstances, where immediate deletion is technically impossible or legally restricted (e.g., due to backups, legal holds), the data must be deleted within a month of the vulnerability being fixed This one-month timeframe represents the absolute maximum retention period, and every effort should be made to delete data as soon as possible.

Notice

This Vulnerability Reporting and Disclosure Policy is subject to periodic review and may be updated or amended as necessary to reflect changes in technology, applicable laws, or best practices.

Legal Notice

1 Personal data means any information that can be used to directly or indirectly identify an individual as a natural person. This includes information such as name, surname, personal identification numbers, location, residence address and other similar information.

2 Applicable legislation includes:

- COMMISSION DELEGATED REGULATION (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive

- Product Security and Telecommunications Infrastructure Act 2022 and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 made in exercise of the powers conferred by section 8Cof the European Union (Withdrawal) Act 2018(1), and by sections 1(1), 3(1), 6(1), 9(3)(b) and (6),15(3) and 77(2) of the Product Security and Telecommunications Infrastructure Act 2022(2)

3 Intended purpose means the use for which the Product is intended according to the label, installation and/or operational manuals, and promotional or sales materials of Daikin Europe.

4 If nevertheless provided, any personal data provided by the Reporter will be processed in accordance with our Data Protection Policy.