Vulnerability Disclosure Policy

Introduction

Clementoni S.p.A. is committed to ensuring the security and integrity of its systems, products, and services. In line with applicable European Union cybersecurity and data protection regulations, Clementoni S.p.A. has established this Vulnerability Disclosure Policy (“VDP”).
This policy defines a clear and responsible framework for reporting security vulnerabilities and supports coordinated vulnerability disclosure in accordance with EU best practices.

Scope

This policy applies to all systems, services, and products owned, operated, or maintained by Clementoni S.p.A. It outlines the processes for reporting vulnerabilities and our commitment to responding to these reports.

Authorization

This Vulnerability Disclosure Policy is adopted by Clementoni S.p.A. in accordance with applicable European Union cybersecurity and product security regulations, including in particular:

• Directive (EU) 2022/2555 (NIS 2 Directive), concerning measures for a high common level of cybersecurity across the Union, which promotes coordinated vulnerability disclosure and responsible security research.

• Regulation (EU) 2024/2847 (Cyber Resilience Act – CRA), which requires manufacturers of products with digital elements to implement processes for handling and disclosing vulnerabilities throughout the product lifecycle.

• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), specifically Article 32, which requires appropriate technical and organisational measures to ensure the security of personal data.

• Regulation (EU) 2019/881 (EU Cybersecurity Act) establishes a unified European framework for cybersecurity, strengthens ENISA’s mandate, and introduces EU‑wide cybersecurity certification schemes for ICT products, services, and processes. It promotes coordinated vulnerability disclosure practices and enhances the overall cybersecurity resilience and trust within the EU digital single market

• Relevant international standards and best practices, including ISO/IEC 29147 (Vulnerability Disclosure) and ISO/IEC 30111 (Vulnerability Handling Processes).

Through this Policy, Clementoni S.p.A. formalises its commitment to receiving, assessing, and remediating reported security vulnerabilities in a responsible, coordinated, and legally compliant manner, while fostering cooperation with security researchers and protecting users, customers, and partners within the European Union.

Reporting a Vulnerability

If you believe you have discovered a potential security vulnerability in any of our systems, please report it to us using the following process:

1. **Email Submission: ** Send an email to assistenza@clementoni.it with the subject line "Vulnerability Disclosure".

2. **Include Details: ** Provide a detailed description of the vulnerability, including:

*M=Mandatory

*O=Optional

3. **Contact Information: ** Your contact information (name and email address) so we can reach you for further information if necessary. These details are optional to enable anonymous reporting.

What to Expect

- **Acknowledgment: ** We will acknowledge receipt of your report within 2 business days.

- **Assessment: ** Our security team will assess the report to verify the vulnerability.

- **Response: ** We will provide an initial assessment of the vulnerability, including an estimated timeline for resolution, within 30 business days.

- **Credit: ** If you wish to be publicly acknowledged for your discovery, please indicate so in your initial report. We will credit you in our security advisories unless you prefer to remain anonymous.

Good Faith Research

We expect security researchers to:
- Act in good faith to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data.
- Follow this policy and any other relevant agreements or laws.

No Legal Action

To encourage responsible vulnerability research and reporting, we will not take legal action against individuals who:
- Act in accordance with this policy.
- Report vulnerabilities without any malicious intent.
- Avoid actions that could harm our systems, services, or data.

Out of Scope

The following types of activities are out of scope and should not be conducted:
- Denial of Service (DoS) attacks.
- Social engineering or phishing attacks against our staff or users.
- Physical attacks against our offices or data centers.

Commitment to Confidentiality

All information shared with us during vulnerability reporting will be handled confidentially and will not be shared with third parties without the reporter's consent, except as required by law.

Contact Information

For any questions or clarifications regarding this policy, please contact us at:
- Email: assistenza@clementoni.it

- Phone: +39 07175811

Updates to This Policy

This policy may be updated periodically. The latest version will always be available on our official website at clementoni.com.

Acknowledgment

We appreciate the efforts of security researchers who report vulnerabilities and support us in improving the security of our systems, services, and products.

Your contribution plays a key role in maintaining a high level of cybersecurity for our users, customers, and partners.

By following this Policy, you agree to comply with the outlined procedures and to act in good faith.
Clementoni S.p.A. reaffirms its commitment to handling reported vulnerabilities in accordance with applicable European Union cybersecurity and data protection regulations, as well as with recognised international standards and best practices.