Hasselblad Security Response Center

Hassleblad team Statement

1. Hasselblad attaches great importance to the information security issues of its products and business systems. We promise to have a dedicated person responsible for following up, providing feedback, and analyzing and processing each reporter's feedback in a timely response.

2. Hasselblad always puts the interests of users first and does its best to protect the interests of Hasselblad users.

3. Hasselblad opposes and condemns the following behaviors and reserves the right to pursue liability according to law:

(1) Using testing as an excuse to exploit vulnerabilities to cause damage and harm the interests of the user, including but not limited to exploitation.

(2) Using Loopholes to steal the information, privacy, and virtual property of the user.

(3) Downloading any Hasselblad codes and data during vulnerability testing.

(4) Using vulnerabilities to attack Hasselblad’s system, causing system downtime or failure.

(6) Intimidation and extortion by exploiting security vulnerabilities or maliciously exaggerating the impact of vulnerabilities to cause public panic

(7) Irresponsible disclosure of vulnerabilities, malicious propagation of vulnerabilities, or the act of disclosing, disseminating, or trading vulnerabilities after reporting vulnerabilities but before vulnerabilities are repaired.

(8) Safety testing behaviors that are harmful or have uncontrollable results.

(9) Conducting testing behaviors that violate international laws or local regulations.

(10) Failure to properly preserve data during vulnerability testing, causing Hasselblad to suffer losses.

If you have any questions during the testing process, please contact Hasselblad (support.app@hasselblad.com) at any time, and we will provide you with detailed guidance.

Vulnerability reporting process

1.Vulnerability reception: You can send an email to Hasselblad’s official email address support.app@hasselblad.com, and please submit a vulnerability report at the same time.

2.Vulnerability assessment: We will promptly confirm the validity of the vulnerability and the possible impact scope of the vulnerability.

3.Vulnerability remediation: Implement vulnerability repair according to the actual situation of the vulnerability, and we will notify you of the repair progress by email.

4.Release of repair information: We will release vulnerability fix information to users via email.

During the vulnerability report process, if you have any objections about this process, vulnerability grading, etc., you can communicate with a Hasselblad staff member by sending an email titled [Hasselblad Vulnerability Processing Objection] to support.app@hasselblad.com . If you have any comments or suggestions about this project, you can send your feedback via email to support.app@hasselblad.com. You will receive a confirmation email from the Hasselblad Security Response Center within 5 working days. Hasselblad will continue to follow up on the vulnerability feedback until it is resolved.

Vulnerability report validity range

In principle, all products and services provided by HASSELBLAD are intended to be in scope. This includes virtually all the contents in the following domains.

Websites include hasselblad.com

Applications include PHOCUS

Hardware includes all products within the HASSELBLAD safety maintenance life cycle.

Vulnerability reporting requirements

Compliant and high-quality vulnerability reports will speed up the Hasselblad vulnerability assessment process. High-quality reports include:

1. Describe the vulnerability in detail, please include the ease of exploitation and harm of the vulnerability.

2. Detailed steps to reproduce the vulnerability.

3. Provide detailed test environment information, including:

(a) URL or app and code fragments involved in the vulnerability. For devices, please provide the model, version, and SN of the device.

(b) The public IP address you are using for testing.

(c) The user account you used during testing.

(d) Non-destructive vulnerability POC (for example, for RCE vulnerabilities, run "hello world").

(e) Please keep the data during the test and submit it as an attachment to the report.

Vulnerabilities Rating Guideline

Critical-severity/high-severity/moderate-severity vulnerabilities will be fixed within 90 working days, and low-severity vulnerabilities will be fixed within 180 working days. Vulnerability fixes may be limited by environment or hardware, and the actual fix time will be confirmed on a case-by-case basis.

Vulnerabilities Rating Guideline - Products

Severity

Consequence of successful exploitation


Critical


● Arbitrary code execution in the Trusted Execution Environment ("TEE")

● Remote arbitrary code execution to hijack large amount of devices

● Remote permanent denial of service (device malfunction: completely permanent or requiring re-flashing the entire operating system)

● Secure boot bypass (only for devices with secure boot mechanism)


High


● Unauthorized access to data secured by the TEE
● Remote arbitrary code execution to hijack single device

● Remote temporary device denial of service (remote hang or reboot)
● Remote access to user data (depending on the impact)


Moderate


● Local arbitrary code execution without hardware modifications


Low


● Local arbitrary code execution with hard ware attacks


Acknowledgement


● Vulnerabilities that require modification or alteration of products

Vulnerabilities Rating Guideline - Apps

Severity

Consequence of successful exploitation


Critical


● Remote code execution that might cause several consequences,

● Vulnerabilities that could cause leaks of a substantial amount of user data (depending on the impact)


High


● Remote code execution that could temper crucial parameters


Moderate


● Restricted remote code execution

● Vulnerabilities that could cause leaks of user data (depending on the impact)

● Local arbitrary code execution


Low


● Buffer overflow, nonetheless not providing methods for exploitation


Acknowledgement


● Software bug, user interface abnormity or crash that could not be exploited or not providing methods for exploitation

Vulnerabilities Rating Guideline - Servers

Severity

Consequence of successful exploitation


Critical


● Vulnerabilities that could cause a [1] substantial amount of crucial servers being controlled (depending on number of affected users and importance to HASSELBLAD) and data being compromised

● Vulnerabilities that could cause leaks of a substantiaI amount of [2] crucial user information (e.g., credit card and social identity card information)

● Vulnerabilities that could obtain any user's authority or crucial information(e.g., credit card and sociaI identity card information) stored on crucial servers

● Other vulnerabilities that HASSELBLAD deems could cause severe damages to HASSELBLAD or its users


High


● Vulnerabilities that could compromise non-crucial server(s), or that could compromise crucial server(s) but not data

● Vulnerabilities that could cause leaks of some or few crucial user information (e.g. credit card and social identity card information)

● Vulnerabilities that could cause unauthorized access to important servers (depending on the impact)

● Vulnerabilities that could cause unauthorized access to the service administrative site at the backend

● Logical vulnerabilities for crucial business, e.g., payment processing or password retrieval


Moderate


● Vulnerabilities that could cause leaks of a substantiaI amount of [3]general user data (e.g., shipping address, phone number)

● Vulnerabilities that could randomly obtain any user's authority

● Vulnerabilities that could cause limited amount of data modification

● Remote denial of service attack (Remote dos)


Low


● XSS (Depending on the actual impact)

● CSRF (Depending on the actual impact)

● Feasible brute force attack and registration, malicious ordering, etc.

● Server information leakage, e.g., phpinfo, path on server

● Potential fishing attack, man-in-the-middle attack (Depending on the actual impact)

● Vulnerabilities that have been made public but not solved in the staging environment (Depending on the actual impact)


Acknowledgement


● Self-XSS
● Login/Logout CSRF, CSRF without actual influence
● Click Hijack
● Infrastructure vulnerabilities, incluing:
  Certificates/TLS/SSL related issues
  DNS issues (i.e., mx records, SPF record set, etc).
  Server configuration issues (i.e., open ports, TLS, etc.)
● Vulnerabilities that could cause impact only through browsers of low-end versions (e.g., IE6)
● Iframe-nested fishing attack

[1]Substantial amount generally indicates over 10,000.

[2]Crucial user information includes direct identifiers, such as social identity card, passport, credit card, driver’s license, shipping address.

[3]General user information includes phone number, email address, user ID, etc.