Security

 

Coordinated Vulnerability Disclosure Statement

Stanley Black & Decker is committed to ensuring the safety and security of our employees, contractors, customers and others who use our products and services. As part of this commitment, we’ve established a coordinated vulnerability disclosure program to provide guidance for our digital products and information systems.

We recognize that the security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and that fostering a close relationship with the community will help improve our own security. You are encouraged to disclose to us any vulnerability in a Stanley Black & Decker digital product, website or web application.

 

Stanley Black & Decker Vulnerability Disclosure Policy

Purpose

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at Stanley Black & Decker’s digital products and information systems submitting discovered vulnerabilities to Stanley Black & Decker.

Overview

The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and Stanley Black & Decker recognizes that fostering a close relationship with the community will help improve our own security.

Information submitted to Stanley Black & Decker under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our digital products, networks or applications, or the applications of our vendors.

Scope

Any digital product, public-facing website or web API owned, operated, or controlled by Stanley Black & Decker, including web applications hosted on those products and sites.

How to Submit a Report

In the form below, please provide a detailed summary of the vulnerability, including type of issue; digital product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

By clicking “Submit Report,” you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Stanley Black & Decker digital products and information systems, and consent to having the contents of the communication and follow-up communications stored.

Guidelines

Stanley Black & Decker will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:

Your activities are limited exclusively to –

  • Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
  • Sharing with, or receiving from, Stanley Black & Decker information about a vulnerability or an indicator related to a vulnerability.
  • You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
  • ou avoid intentionally accessing the content of any Stanley Black & Decker data in transit or data at rest, except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
  • You do not exfiltrate any data under any circumstances.
  • You do not compromise the privacy or safety of Stanley Black & Decker personnel or any third parties.
  • You do not intentionally compromise the intellectual property or commercial interests of any Stanley Black & Decker personnel or entities, or any third parties.
  • You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from Stanley Black & Decker.
  • You do not conduct denial of service testing.
  • You do not conduct social engineering, including spear phishing, of Stanley Black & Decker personnel or contractors.
  • You do not submit a high-volume of low-quality reports.
  • If at any point you are uncertain whether to continue testing, please engage with our team.

What You Can Expect From Us

We take every disclosure seriously and appreciate the efforts of security researchers. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.

Stanley Black & Decker has a unique information and communications technology footprint that is tightly interwoven and globally deployed. Stanley Black & Decker must take extra care while investigating the impact of vulnerabilities and providing a fix, so we ask your patience during this period.

Within seven business days, we will acknowledge receipt of your report. Stanley Black & Decker’s security team will investigate the report and may contact you for further information. To the best of our ability, we will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, as remediation of the vulnerability is underway.

Where necessary or if we are unable to resolve communication issues or other problems, Stanley Black & Decker may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Legal

You must comply with all applicable International, Federal, State, and local laws, including applicable Data Protection Law in connection with your security research activities or other participation in this vulnerability disclosure program.

Stanley Black & Decker does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

You agree that You shall not, without the prior written consent of Stanley Black & Decker in each instance (i) use in advertising, publicity or otherwise the name of Stanley Black & Decker or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by Stanley Black & Decker or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by Stanley Black & Decker or its Affiliates.

You agree that any and all information, including personal information, acquired or accessed by You as part of this exercise is confidential to Stanley Black & Decker and You shall hold the Confidential Information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purpose other than for the performance of your work.

If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, Stanley Black & Decker will not initiate or recommend any law enforcement or civil lawsuits related to such activities. To the extent that any security research or vulnerability disclosure activity involves the products, networks, systems, information, applications, products, or services of a non-Stanley Black & Decker entity (such as a Craftsman licensee or Stanley supplier), Stanley Black & Decker will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.

Stanley Black & Decker may modify the terms of this policy or terminate the policy at any time.