Incident Response and Vulnerability Disclosure Process

The process is composed of 4 main phases, triggered by the receival of a vulnerability report and managed by Electrolux PSIRT (Product Security Incident Response Team); such phases are:

1. Identification
   
   • The reporter gets acknowledged by the PSIRT of the report receival
   • PSIRT forwards report to internal relevant stakeholders and identifies the owner
2. Investigation
   
   • Owner and relevant stakeholders reproduce the issue, possibly involving reporter in case of unclarity; then, they send the outcome of the investigation to PSIRT and together deliberate if an action is required
   • Reporter gets notified about the outcome and related rationales
   • In case PSIRT and owner deem an action to be taken, report is furtherly investigated
3. Mitigation
   
   • Relevant stakeholders are involved in order to develop and deploy a mitigation solution, possibly including communication with the reporter. PSIRT is notified when the solution is deployed
4. Publication
   
   • PSIRT take care of publish advisory of vulnerability details and mitigation strategy, agree the closing date with relevant stakeholders and owner and perform post-incident review registering potential lessons learned.