Responsible Disclosure Policy
FENDI considers its systems, and in particular, personal data, as fundamental assets for the company, for which security and confidentiality constitute an essential factor for the trust of its clients.
Despite a strong focus on security, some vulnerabilities may not be noticed during releases to the public or new ones may emerge.
If you discover a vulnerability regarding the FENDI domains and you want to share it with us, we ask you, in the spirit of responsible disclosure, to send us a report relating to such vulnerability by following this “Responsible Disclosure” policy.
- the report must not be made anonymously and should use only the information mentioned in the following link and report the main information needed to allow us to identify and reproduce the vulnerability that you intend to share;
- maintain strictly confidential and secret the vulnerabilities discovered, and undertake not to disclose them or make them available to third parties until such a time as Fendi communicates that appropriate counter-measures have been applied, and, in any case, after sharing the contents you intend to disclose, in the interests of reciprocal protection, to avoid the involuntary circulation of company information that is not associated with the vulnerability and that must remain confidential;
- in the case in which it is a legal person (public or private), a corporate body, a group or other associative form, whomsoever sends the report must limit the access to the information regarding the identified vulnerability to their employees and only as strictly necessary for their activity, ensuring that all suitable and appropriate measures are put into place to ensure confidentiality and the aforementioned limits of access and use of information on the vulnerabilities discovered.
- collaborate with Fendi’s Security team and the work groups involved;
- refrain from any activity that could entail a violation, loss and/or destruction of the data relative to the systems and services involved in the reporting, or that would negatively impact on or interrupt services. Thus, it is expressly prohibited to:
- Access, modify or download data;
- Implement actions comparable to “Denial of Service” attacks that may damage the functioning of any FENDI asset or resource;
- Upload, link, execute or send malicious codes using the FENDI systems;
- Carry out tests where the result would be the sending of undesired messages, spam or other forms of unauthorised messages.
Once the report has been received, FENDI will do its utmost to:
- send a reply within 20 days, supplying information on the relevance of the report with regard to the Responsible Disclosure policy and on the outcome of the preliminary analysis carried out by FENDI:
- maintain the confidentiality of the report, subject to the fulfilment of legal obligations and/or orders from authorities.
The information confidentiality period is considered by FENDI to last until the closure of the vulnerability and to the following report to those who sent the notice.
Notices relating to the following cases are excluded from the present Responsible Disclosure policy and will consequently be rejected without relative validation:
- results of automated vulnerability tools, assessment/penetration testing/Information Gathering
- results of Denial of Service attacks (DoS, DDoS), for which FENDI reserves the right to undertake appropriate action;
- results of assessments conducted through specialised sites;
- bugs relating to the User Interface or the User Experience that do not constitute a breach of security (e.g. typing errors, errors in page formatting);
- observations on domains not directly managed by FENDI or in any case not forming a part of the previously stipulated boundaries to which the policy applies;
- all notices not connected with security and the Responsible Disclosure policy.
Fendi will process all personal contact information of the reporting individual (name, email and optionally a telephone number) for the sole purposes of managing the follow-up on the report and to carrying out the necessary actions in relation to the vulnerability reported. The personal data of the reporting individual may be communicated to the appropriate authorities and to third party companies that offer us research services in relation to the vulnerability reported.
Fendi expresses its thanks for any reports but clarifies that no reward is offered (monetary or otherwise) for reporting in relation to alleged or identified vulnerabilities.
Fendi reserves the right not to handle reports that do not respect the stipulated requirements in the present Responsible Disclosure policy.
FENDI reserves the right to update at any moment the Responsible Disclosure policy described above.