KYOCERA Document Solutions
KYOCERA Document Solutions
  • EN United Kingdom
    • Change language
    Change country

    Product Vulnerabilities

    Reporting and Managing
    Product Vulnerabilities

    Kyocera Document Solutions (referred to as "Kyocera," hereafter) is committed to providing secure products and services (referred to as "Products," hereafter) such as MFPs, printers, solutions, and applications.

    Cyberattacks have become more severe and sophisticated around the world. Kyocera constantly monitors these advanced cyberattacks to reduce cybersecurity risks and enhance customers’ cybersecurity and privacy when using our products. Under these circumstances, our commitment to customers is for us to make a vulnerability response in a timely and efficient manner from the initial investigation up to the resolution of reported vulnerability issues. This commitment enables our customers to use our products securely and with ease.

    As such, the Product Security Incident Response Team (PSIRT) oversee Kyocera’s Vulnerability Disclosure Policy, ensuring fast and effective management of potential vulnerabilities, protecting Kyocera’s customers and the broader consumer. 

    This Vulnerability Disclosure Policy is applied to include the following circumstances::

    • A potential vulnerability affecting products is disclosed to the public.
    • A potential vulnerability existing in products is reported by an external third party
    • A vulnerability impacting released products is discovered internally.

    Information relating to reporting and the handling of (potential) vulnerabilities can be found below. 

    Reporting potential vulnerabilities

    Kyocera recognise the important work that academic bodies and consumer-focused organizations play in the proactive identification and reporting of
    vulnerabilities, for the improved protection and security of the consumer.

    Reporting of potential vulnerabilities by such bodies and individuals can be made by emailing compliance@duk.kyocera.com.

    In order to better assist Kyocera with reviewing and verifying potential vulnerabilities, we kindly request reporters to provide the following information as part of their report:

    • Reporter's name and contact information,
    • Name of the product that contains the potential vulnerability,
    • The product version that contains the potential vulnerability
    • Type of the potential vulnerability (e.g., Information Disclosure, Privilege Escalation, Remote Code Execution, Print Job Manipulation, etc.)
    • Impact of the potential vulnerability,
    • Steps in the specific and detailed process to reproduce the potential vulnerability,
    • The circumstance that an attacker requires to exploit the vulnerability,
    • Proof-of-concept code,
    • Public, third-party reports of vulnerabilities (i.e., references),
    • Date when you have discovered the vulnerability,
    • Others, additional information.

    Kyocera shall acknowledge vulnerability reports received in no less than 5 working days and shall ensure ongoing communication of the issue. 

     

    Handling of vulnerabilities

    Handling of vulnerabilities

    Once a vulnerability is discovered, Kyocera focuses on responding promptly and appropriately, including responding to customers based on security
    vulnerability information, the following four steps: 

    • Gathering and sharing security vulnerability information,
    • Investigating security issues and analyzing their impact on our products,
    • Taking security measures against vulnerabilities, and
    • Announcing to the public.

    Kyocera considers any individual issues caused by including some weakness in coding or configuration that leads to your vulnerable design are not our vulnerability.

    We value vulnerability information submitted by reporters. However, whether the reported vulnerability information applies to the vulnerability handling scope will be determined by Kyocera PSIRT.

    Information relating to vulnerabilities disclosed under our Vulnerability Disclosure Policy can be found at the following link:

    https://www.kyoceradocumentsolutions.com/en/our-business/security

    Expectations in those reporting vulnerabilities

    Vulnerability reporters have a moral obligation to ensure they are acting in a manner that complies with law and is to the benefit of the wider consumer.

    As such, here are some general guidance that should be followed when reporting potential vulnerabilities.

    Reporters should:

    • Be compliant with all relevant laws/acts, standards, data protection, and privacy laws.
    • Securely delete all data used during your vulnerability investigation/analysis/research as soon as it is no longer required.

    Reporters should not:

    • Violate laws/regulations/standards enacted in respective countries/regions.
    • Share or re-distribute any data obtained through our products to third parties.
    • Submit the report by using a product obtained improperly through a malicious person.
    • Attempt to contact us utilizing vulnerable communication.
    • Report any vulnerabilities related to Denial of Services (DoS or DDoS), e.g., overwhelming our service with a high volume of requests.
    • Submit the report on products that are not brought in line with best practices.
    • Submit the report on TLS configuration weaknesses e.g., TLS1.0 support.
    • Use social engineering attacks.
    • Demand monetary compensation to disclose any vulnerabilities. 

     

    Your Privacy

    Kyocera Document Solutions (UK) Limited. (“Kyocera”, “we” or “us”) located Eldon Court 75-77 London Road, Reading RG1 5BS issued this Privacy Statement (“Statement”) to inform you, the person who initiated the Security Issue (“Report”), about the processing of your personal data provided to us with reference to the Report. 

    INTRODUCTION

    In this Statement, we will explain in detail the following:

    1. For which purpose we are processing your personal data;
    2. On what legal basis we are processing your personal data;
    3. With whom we share your personal data;
    4. To which countries we transfer your personal data;
    5. For how long we keep your personal data;
    6. Which technical and organizational measures we have taken;
    7. What your legal rights are concerning us processing your personal data;
    8. How you can contact us and other important information.

    1 - For which purpose we are processing your personal data?

    The personal data provided to us with reference to the Report shall be
    exclusively used for the purposes stated by laws and regulations with regard to security of products and services. The purposes include reporting and responding to security issues for Kyocera products and services. This can also include contacting you if we require further information about your discovery and report of security issues. Kyocera may process the following categories of personal data: name, email address, phone number and personal data voluntarily provided by you in the Report.

     

    2 - On what legal basis we are processing your personal data?

    Kyocera processes your personal data as it is necessary for Kyocera’s compliance with the legal obligations (Article 6.1 (c) of the UK Data Protection Act 2018 and/or Article 6.1 (c) of the GDPR REGULATION (EU) 2016/679).

    3  - With whom we share your personal data

    We shall only share your personal data with organisations within the Kyocera organisations (for the purposes of processing your vulnerability report) or regulatory bodies if legally enforced to do so.

    The key Kyocera entities in which data will be shared are:

    • Kyocera Document Solutions Inc. located at 1-2-28 Tamatsukuri, Chuo-ku, Osaka 540-8585, Japan (the defined manufacturer under
      the PSTI Act),
    • KYOCERA Document Solutions Europe Management B.V located at Beechavenue 27, 1119 RA, Schiphol-Rijk, The Netherlands.

    4 - International Data Transfer

    Kyocera relies on European Commission adequacy decision that was adopted for Japan on 23 January 2019, as our primary data transfer mechanism. Where the adequacy decision do not apply, such as to
    cross-border data transfers Kyocera will rely instead on other safeguards to
    transfer personal data, such as Standard Contractual Clauses.

    5 - For how long we keep your personal data

    Personal data collected and processed for the purposes indicated above shall be retained for the period necessary to resolve security issues of our products and services you reported to us but not longer than required by laws and regulations specified in Section 1.

    We securely delete your personal data without undue delay after your personal data is no longer required to address security issues you reported to us.

    6 - Which technical and organizational measures we have taken

    We take the security of your personal data very seriously and take all reasonable efforts to protect your personal data from loss, misuse, theft, unauthorized access, disclosure or modification.

    7 - Your rights

    According to the applicable data protection law, you have the following legal rights that we wish to inform you of: 

    A.  The right to access your personal data.

    B.  The right to rectify your personal data in case it is inaccurate or incomplete.

    C.  The right to have your personal data deleted (“right to be forgotten”).

    D.  The right to restrict the processing of your personal data.

    E.  The right to object to the processing of your personal data.

    F.  The right to Data portability. 

    G.  In case you provided your consent, you may withdraw your consent at any time.

    H.  You can lodge a complaint with the applicable data protection Supervisory Authority.

    8 - Exercising your rights and contacting us

    If you wish to exercise any of your rights, or you have a question about this
    document, please contact:  privacy@duk.Kyocera.com

    License to Reported Vulnerability Information 

    Kyocera does not claim any ownership rights to the information included
    in the reported Vulnerability Disclosure under this Policy, including, but not limited to, any data, text, material, program code, suggestion and recommendation received from the reporter (“Reported Vulnerability
    Information”). By providing any Reported Vulnerability Information to Kyocera, the reporter:

    1 - Grants Kyocera the following non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in the Reported Vulnerability Information:

    (i) to use, review, assess, test, and otherwise analyze the Reported Vulnerability Information; and

    (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of the Reported Vulnerability Information and all its content, in whole or in part, for the purpose of fixing the reported vulnerabilities, improving Products, and marketing, sale and promotion of such improved Products.

    2 - Agrees to sign any documentation that may be required for us or our designees to confirm the rights the reporter granted above;

    3 - Understands and acknowledges that we may have developed or commissioned materials similar or identical to the Reported Vulnerability Information, and the reporter waives any claims or rights it may have resulting from any similarities to the Reported Vulnerability Information;

    4 - Understands and acknowledges that it is not guaranteed any compensation or credit for Reported Vulnerability Information; and

    5 - Represents and warrants that it hasn’t included any of personal data in Reported Vulnerability Information, it hasn't used any information or intellectual property owned by a third party in violation of legal or contractual requirements, and that the reporter has the legal right to provide the Reported Vulnerability Information to us subject to this Policy.

    Cookies and your privacy

    We use essential cookies to make interactions with our website easy and effective, statistical cookies for us to better understand how our website is used and marketing cookies to tailor advertising for you. You can select your cookie preferences using the 'Preferences' button below, or select 'I agree' to continue with all cookies.

    See our Cookie Statement See our Cookie Statement

    Cookie preferences

    Field is required

    We use cookies to make sure that our website is working properly or, occasionally, to provide a service on your request (such as managing your cookie preferences). These cookies are always active unless you set your browser to block them, which may prevent some parts of the website from working as expected.

    Field is required

    These cookies allow us to measure and improve the performance of our website.

    Field is required

    These cookies are only placed in case you give your consent. We use Marketing cookies to follow how you click and visit our websites in order to show you content based on your interests and to show you personalised advertisement. Currently you do not accept these cookies. Please check this box if you would like to.

    You can find a full list of cookies in our Cookie Statement. You can find a full list of cookies in our Cookie Statement.