At Philip Morris, we strive to bring great quality products to our consumers. This includes securing our digital/internet connectable products and services by design from production through to after care.

Our public Vulnerability Disclosure Policy (‘VDP’) is part of this commitment to further protect our Products and consumers. We value the expertise and support of the cybersecurity community to enable us in maintaining our high security standards by identifying any potential vulnerabilities in our products and working with us to address them.

You can report a suspected security or privacy-related vulnerability you believe is affecting our Connected Products (i.e., our internet connected electronic devices, supporting software, web services, and mobile applications) at any time.

By reporting a suspected vulnerability, we expect you to collaborate with us until its resolution. For instance, we would expect you to respond to our queries within a reasonable time frame (normally a few days).

PMI will not initiate legal actions against reporters who follow this policy to report vulnerabilities in good faith.

Please note that this program should not be used to,

  • Request technical support for our products or report any product quality-related complaints. For issues relating to this please use Contact us | PMI - Philip Morris International
  • Report issues relating to our corporate IT systems.

 

Terms (rules of engagement)

As a responsible member of the cybersecurity community, you should only validate your findings on your own accounts and devices, or with authorization from their rightful owners, using ethical and lawful methods.

Reporter’s Responsibilities

  • Please submit your report in English.
  • Respect applicable laws and regulations when looking for vulnerabilities.
  • Avoid testing in a way that could degrade our services or our users’ experiences, affect their privacy or security, or that may damage or destroy information on live systems (no brute-force attacks, no API flooding).
  • Do not exploit the vulnerability or problem you have discovered to demonstrate the issue or delete or modify user’s data, employee data, third-party data.
  • Do not engage in methods involving physical security, social engineering, denial of service, spam against our employees or partners.
  • Do not share information about the vulnerability with others until it has been resolved in accordance with the stated vulnerability disclosure timeframes or until we have notified you.

 

Our Responsibilities

  • PMI will acknowledge, manage reported vulnerabilities in a responsible manner according to our public vulnerability disclosure policy and internal processes.
  • We will not pursue legal action against vulnerability reporters who follow our public vulnerability disclosure policy in good faith and without malicious intent.
  • PMI does not operate a bug bounty program currently and we do not offer any financial payment or other valuable consideration to vulnerability reporters. We are grateful for your interest and support from the community to help us keep our users and systems safe and secure, and we will acknowledge vulnerability reporters (with their consent) as applicable in our advisories and on our acknowledgments page.

 

Who can report suspected vulnerabilities?

Because Philip Morris operates in many markets and is subject to various regulations, we must restrict who can report suspected vulnerabilities to us. We will only accept your report if:

  • You do not work for PMI or its companies.
  • You are at least 18 years old. If not, your report and any subsequent communications must be submitted by a legal guardian.
  • You do not reside in a country sanctioned by U.S. export control.
  • You are submitting your report in good faith.

 

How to submit your report

If you believe that you’ve discovered a potential security vulnerability that affects our Connected Products (devices, software, or services), please report it directly using the "Report a vulnerability form"

Remember, high quality submissions allow us to validate and remediate reported issues faster. Reports should include all the necessary information that allows us to reproduce the vulnerability. This includes:

  • The identifier of the vulnerable asset(s): name of the product and software version, serial number or Codentify of the Device, URL of the endpoint, etc.
  • A description of the vulnerability and its possible impacts,
  • A list of steps to reproduce the vulnerability,
  • A proof of concept or exploit
  • Any other details that we can use to verify and fix the reported issues.

 

Additionally, we will need to collect some of your personal information to coordinate throughout this VDP process:

  • Your email address (mandatory for coordination purposes),
  • Your name or a pseudonym (optional),
  • A decision whether to be acknowledged, after we validate and remediate your reported issues.

We will only use your personal information to write your report and to coordinate with you during our review process. By submitting a report, you acknowledge and consent to the processing of your personal information for this purpose. We will always protect, store, and use personal data solely in compliance with our Privacy Policy and Terms of Use.

Please note that at this time, we can only accept vulnerability reports written in English.

 

How we handle these reports

We aim to acknowledge each submission by email within 5 business days (Mon-Fri). We will try to reproduce your findings, validate whether a vulnerability exists, identify all potentially vulnerable assets, and evaluate possible ways to fix the issues. After validation of a solution, we will test and deploy a fix as necessary to the relevel components.

During this time, we will contact you with updates on our progress. Or as needed to request additional information if necessary.

We aim to resolve all reported issues presenting a validated vulnerability within 90 days. If we cannot finalize a fix in this timeframe, we may request an embargo to limit any risks to our customers.

Once we have fixed the issues, we may take the decision to inform our customers with a “joint-advisory”.

In these instances, we will collaborate with you further to acknowledge you for your efforts in helping us keep our products secure.

If you have questions or feedback during the process, please do not hesitate to reach back us.

 

Security Bulletin and external communications

When a confirmed vulnerability is addressed and a solution is available, we may notify the affected customers using the appropriate communication channels.

The security bulletin will include a brief description of the vulnerability, risks and, if applicable details of the affected products and versions, along with guidance on addressing the issue.

If a security bulletin is published on our public page, we will, with your permission, give you recognition for your findings. In the event our customers do not have to take an action to resolve a vulnerability, we typically do not communicate with them about the vulnerability by default; we will work, however, with reporters to determine whether a public disclosure is appropriate at our discretion.