Cybersecurity Commitment

Connected large appliances deliver efficiency, convenience, and comfort in homes across the country and around the world. But with one in five Americans owning such a device¹, the emergence of Internet of Things (IoT) and Artificial Intelligence (AI) technology comes with important considerations regarding data security, privacy, and trust.  

As the only US-based major home appliance manufacturer, we take those concerns seriously. We are committed to upholding the security and privacy of our customers, suppliers, and employees.  

That’s why our goal is to proactively identify and mitigate potential security risks. To support this objective, we adhere to industry-accepted cybersecurity best practices across our products, systems, and services. 

Our Cybersecurity Commitment

• Rigorous Supplier Standards:
  Whirlpool suppliers must meet the company’s information security and privacy requirements, embedded directly into contracts and ongoing assessments.

• Threat Monitoring and Assessment:
  We monitor industry databases such as the Common Vulnerability Scoring System (CVSS) and National Vulnerability Database (NVD) to identify and address emerging risks.

• Ongoing Compliance:
  We align with international security frameworks and evolving regulations to maintain data protection across all markets.

Built and Secured with American Leadership  

Whirlpool Corporation is headquartered in the United States and governed by U.S. laws, meaning our approach to data privacy and product security is rooted in American values of transparency and consumer protection.

While Whirlpool serves customers around the world, our cybersecurity design, oversight, and governance are led from the U.S. This distinguishes us from many competitors that are owned or controlled by foreign governments, or may be subject to foreign national security laws requiring data access or disclosure. 

Some appliance brands are wholly owned by China-controlled businesses. Chinese controlled businesses may be subject to legal requirements to turn your data over to Chinese authorities.

At Whirlpool, we believe families deserve more transparency and stronger protections. That’s why we design, test, and secure our products according to rigorous domestic standards and regulations, ensuring our customers’ data and safety are protected under American law.

Vulnerability Reporting & Disclosure

Vulnerability Reporting & Disclosure Program

Whirlpool values the work of security researchers and seeks to work collaboratively and responsibly with them to improve the security of its products, software, and mobile applications. This program is designed to facilitate the responsible reporting and disclosure of cybersecurity vulnerabilities, ensuring the security and safety of our customers.

We participate in HackerOne and follow the Gold Standard Safe Harbor framework, which ensures that researchers acting in good faith can report potential vulnerabilities responsibly and without fear of legal action.

Responsible Research Principles

By participating in Whirlpool’s program, researchers agree to the following principles and conditions: 

• Do no harm: Do not cause harm to product owners or operators, Whirlpool, or other third parties. This includes refraining from compromising installed products, software, and systems or the privacy of Whirlpool customers, employees, or third parties to disrupt services, or create a denial-of-service condition.

• No unauthorized access to personal data: Do not intentionally access, collect, or disclose any Personally Identifiable Information (PII) of Whirlpool customers, employees, or third parties. If PII is encountered, you must immediately cease all related activity, report the finding to Whirlpool, and securely destroy any copies or records of the PII. You are prohibited from using, storing, or sharing any discovered PII for any purpose.

• Comply with all applicable laws: All research must comply with relevant laws and regulations. Researchers must cooperate with Whirlpool when information or additional details are sought regarding the potential vulnerability. 

Reporting a Vulnerability:

To submit a potential website vulnerability, user can submit via HackerOne if they have an account or use this form to submit without an account HackerOne

For a product related vulnerability, email product_security@whirlpool.com and include the following:

• Product name, model, firmware version, and date of discovery 

• Configuration or special conditions needed to reproduce the issue 

• Step-by-step instructions, proof-of-concept or exploit code

• Description of the impact and any recommended mitigation  

Whirlpool’s Commitment: 

• We will acknowledge receipt of a valid report within 72 hours.

• Our cybersecurity team will assess the report and may reach out for clarification or additional details.

• Whirlpool will keep the researcher informed of progress where possible and will coordinate public disclosure once remediation is complete.

Confidentiality and Disclosure Rules 

To ensure responsible handling and protection of consumer data: 

• You may not publicly disclose any vulnerability or share details with external parties prior to Whirlpool’s written approval to prevent bad actors from exploiting this vulnerability  .

• All communications related to a report must occur exclusively through Whirlpool’s secure reporting channels.

• Public discussion, including on social media, forums, or third-party platforms, is prohibited until coordinated disclosure has occurred. 

Intellectual Property Rights 

By submitting a vulnerability report, you agree to these terms and grant Whirlpool a non-exclusive, worldwide, irrevocable, perpetual, sub-licensable, royalty-free license to any intellectual property contained in that report to analyze, publicize, disclose, or use.

¹ Consumer Reports Survey, 2022.