Hasselblad Security Response Center

Hassleblad team Statement

1. Hasselblad attaches great importance to the information security issues of its products and business systems. We promise to have a dedicated person responsible for following up, providing feedback, and analyzing and processing each reporter's feedback in a timely response.

2. Hasselblad always puts the interests of users first and does its best to protect the interests of Hasselblad users.

3. Hasselblad opposes and condemns the following behaviors and reserves the right to pursue liability according to law:

(1) Using testing as an excuse to exploit vulnerabilities to cause damage and harm the interests of the user, including but not limited to exploitation.

(2) Using Loopholes to steal the information, privacy, and virtual property of the user.

(3) Downloading any Hasselblad codes and data during vulnerability testing.

(4) Using vulnerabilities to attack Hasselblad’s system, causing system downtime or failure.

(6) Intimidation and extortion by exploiting security vulnerabilities or maliciously exaggerating the impact of vulnerabilities to cause public panic

(7) Irresponsible disclosure of vulnerabilities, malicious propagation of vulnerabilities, or the act of disclosing, disseminating, or trading vulnerabilities after reporting vulnerabilities but before vulnerabilities are repaired.

(8) Safety testing behaviors that are harmful or have uncontrollable results.

(9) Conducting testing behaviors that violate international laws or local regulations.

(10) Failure to properly preserve data during vulnerability testing, causing Hasselblad to suffer losses.

If you have any questions during the testing process, please contact Hasselblad (support.app@hasselblad.com) at any time, and we will provide you with detailed guidance.

Vulnerability reporting process

1.Vulnerability reception: You can send an email to Hasselblad’s official email address support.app@hasselblad.com, and please submit a vulnerability report at the same time.

2.Vulnerability assessment: We will promptly confirm the validity of the vulnerability and the possible impact scope of the vulnerability.

3.Vulnerability remediation: Implement vulnerability repair according to the actual situation of the vulnerability, and we will notify you of the repair progress by email.

4.Release of repair information: We will release vulnerability fix information to users via email.

During the vulnerability report process, if you have any objections about this process, vulnerability grading, etc., you can communicate with a Hasselblad staff member by sending an email titled [Hasselblad Vulnerability Processing Objection] to support.app@hasselblad.com . If you have any comments or suggestions about this project, you can send your feedback via email to support.app@hasselblad.com. You will receive a confirmation email from the Hasselblad Security Response Center within 5 working days. Hasselblad will continue to follow up on the vulnerability feedback until it is resolved.

Vulnerability report validity range

In principle, all products and services provided by HASSELBLAD are intended to be in scope. This includes virtually all the contents in the following domains.

Websites include hasselblad.com

Applications include PHOCUS

Hardware includes all products within the HASSELBLAD safety maintenance life cycle.

Vulnerability reporting requirements

Compliant and high-quality vulnerability reports will speed up the Hasselblad vulnerability assessment process. High-quality reports include:

1. Describe the vulnerability in detail, please include the ease of exploitation and harm of the vulnerability.

2. Detailed steps to reproduce the vulnerability.

3. Provide detailed test environment information, including:

(a) URL or app and code fragments involved in the vulnerability. For devices, please provide the model, version, and SN of the device.

(b) The public IP address you are using for testing.

(c) The user account you used during testing.

(d) Non-destructive vulnerability POC (for example, for RCE vulnerabilities, run "hello world").

(e) Please keep the data during the test and submit it as an attachment to the report.

Vulnerabilities Rating Guideline

Critical-severity/high-severity/moderate-severity vulnerabilities will be fixed within 90 working days, and low-severity vulnerabilities will be fixed within 180 working days. Vulnerability fixes may be limited by environment or hardware, and the actual fix time will be confirmed on a case-by-case basis.