Coordinated Vulnerability Disclosure Statement
Stanley Black & Decker is committed to ensuring the safety and security of our employees, contractors, customers and others who use our products and services. As part of this commitment, we’ve established a coordinated vulnerability disclosure program to provide guidance for our digital products and information systems.
We recognize that the security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and that fostering a close relationship with the community will help improve our own security. You are encouraged to disclose to us any vulnerability in a Stanley Black & Decker digital product, website or web application.
Stanley Black & Decker Vulnerability Disclosure Policy
This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at Stanley Black & Decker’s digital products and information systems submitting discovered vulnerabilities to Stanley Black & Decker.
The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and Stanley Black & Decker recognizes that fostering a close relationship with the community will help improve our own security.
Information submitted to Stanley Black & Decker under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our digital products, networks or applications, or the applications of our vendors.
This policy only applies to the activities of a security researcher involved in the process of security research testing with the intent of sharing the results with Stanley Black & Decker.
Any digital product, public-facing website or web API owned, operated, or controlled by Stanley Black & Decker, including web applications hosted on those products and sites.
How to Submit a Report
Please provide a detailed summary of the vulnerability, including:
- Type of issue
- Digital product, version, and configuration of software containing the bug
- Step-by-step instructions to reproduce the issue
- Impact of the issue
- Suggested mitigation or remediation actions, as appropriate.
Stanley Black & Decker will operate in good faith with researchers who discover, test, and submit vulnerabilities, or indicators of vulnerabilities, in accordance with these guidelines. Please limit your activities to the following:
- Tests to detect a vulnerability or identify an indicator related to a vulnerability; or
- Disclosing a vulnerability, defect, or flaw with Stanley Black & Decker.
Furthermore, we ask for the following consideration during your testing:
- Your research actions should not harm or exploit any vulnerability identified by you or any existing published vulnerability.
- Your research action must avoid access attempts or retrieval of the contents of any Stanley Black & Decker data-in-transit and data-at-rest.
- You should not exfiltrate any data under any circumstances.
- You should not compromise the privacy or safety of Stanley Black & Decker personnel or any third parties.
- You should not intentionally compromise the intellectual property or commercial interests of any Stanley Black & Decker personnel or entities, or any third parties.
- Stanley Black and Decker supports disclosure in the effort of educating the security community. If you do publish your work, please redact all reference to the Stanley Black and Decker name, as well as any other sensitive or identifying material from it unless we have given written permission to use it.
- You should not conduct Denial of Service (DoS) or Distributed Denial of Service (DDoS) testing.
- You should not conduct any type of social engineering, including spear phishing or ransomware, of Stanley Black & Decker personnel or contractors.
- You should not submit a high-volume of low-quality reports.
If at any point you are uncertain whether to continue testing, please engage with our team.
What You Can Expect From Us
We take every report seriously and appreciate the efforts of security researchers. We will strive to investigate every report to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
Stanley Black & Decker has a unique information and communications technology footprint that is tightly interwoven and globally deployed. Stanley Black & Decker must take extra care while investigating the impact of any vulnerability and then providing a remediation plan. During our remediation plan process, we solicit your patience during this period.
Within seven business days, we will acknowledge receipt of your report.
Stanley Black & Decker’s security team will investigate the submitted report. Bear in mind, we may contact you for further information. To the best of our ability, we will confirm the existence of the vulnerability by communicating to you. We will keep the researcher informed, as appropriate, as remediation of the vulnerability progresses.
Where necessary, if we are unable to resolve any communication issues, or any other problems, then Stanley Black & Decker may invoke the services of a neutral third party to help resolve any issues.
You must comply with all applicable International, Federal, State, and local laws, including applicable Data Protection Law in connection with your security research activities or other participation in this vulnerability disclosure program.
Stanley Black & Decker does not authorize, permit, or otherwise expressly or generally allow any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.
You agree that You shall not, without the prior written consent of Stanley Black & Decker in each instance (i) use in advertising, publicity or otherwise the name of Stanley Black & Decker or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by Stanley Black & Decker or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by Stanley Black & Decker or its Affiliates.
You agree that any personally identifiable information, and any other company information acquired or accessed by you as part of this exercise (other than the vulnerability found by you) is confidential to Stanley Black & Decker. You shall hold such confidential information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purpose other than for the performance of your security research work.
By clicking “Submit Report,” you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Stanley Black & Decker digital products and information systems, and consent to having the contents of the communication and follow-up communications stored.
If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, Stanley Black & Decker will not initiate or recommend any law enforcement or civil lawsuits related to such activities. To the extent that any security research or vulnerability disclosure activity involves the products, networks, systems, information, applications, products, or services of a non-Stanley Black & Decker entity (such as a Craftsman licensee or Stanley supplier), Stanley Black & Decker will take steps to make known that your activities were conducted pursuant to and in compliance with this
Stanley Black & Decker may modify the terms of this policy or terminate the policy at any time.
Original Publication: July 2019
Last Updated: September 2020