Skip to content Skip to footer

Vulnerability Disclosure Policy

Background

At myenergi we care about ensuring our products are safe and secure whilst they operate in your home. Your myenergi products include security features that protect your device against evolving cyber threats.

New cyber threats are discovered across the world every day, so it is important you keep your myenergi device up to date with the latest firmware to ensure you benefit from the latest quality and security updates. For most devices, you can check the firmware of your myenergi device and update it in the myenergi app.

The myenergi system is designed to be reliable, secure and to keep your data confidential. This ensures your product performs in a reliable and safe way, to protect you, your home, and the energy grid from damage.

Vulnerability Disclosure Policy

myenergi recognises the role that the security community and our customers play in keeping our products and all our customers safe. We welcome reports from customers or security researchers, if a suspected security vulnerability is discovered in our products, software, or servers.

We value the time and the effort involved in reporting vulnerabilities to us, however we do not offer monetary rewards (sometimes referred to as ‘bug bounties’) for discovered vulnerabilities.

For the safety and security of our products and customers, myenergi does not disclose information relating to security vulnerabilities until a suitable fix has been implemented.

This policy has been updated to meet our obligation under the UK’s Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI) to provide information to consumers about how to report security issues that affect the relevant internet and network connectable products we manufacture. PSTI comes into force on 29th April 2024.  

When you report a vulnerability or security issue, we will send you an acknowledgement within 7 calendar days and provide you with a status update within 21 days and at reasonable periods thereafter until the resolution of the reported issue. Our responses will be in English and free of charge. We shouldn’t need to collect your personal data, but you will need to provide an email address if you wish to receive updates. 

You can report a vulnerability or security issue to us using the link below.

When making your report please provide us with as much relevant information about the vulnerability or security issue as possible. 

  • Email address (optional) 
  • The nature of the vulnerability 
  • Product and/ or model affected  
  • Serial number(s) (if applicable) 
  • Firmware version(s) or App Version(s) you suspect to be vulnerable (If applicable) 
  • The location the vulnerability was discovered and the potential impact of exploitation  
  • Steps taken to discover / identify the vulnerability (scripts or screen shots are helpful)  
  • Is there a known Common Vulnerability and Exposure (CVE) for this issue? (See Common Vulnerabilities and Exposures at CVE – CVE (mitre.org)) 
  • System / network topography (if applicable)  
  • Any other supporting information  
Report a Vulnerability

Our commitment to you:

  • We’re grateful for the support from the security research community. We will not take legal action against you for disclosing a vulnerability with us
  • We’ll investigate your report and take action in a reasonable timeframe and keep you informed until the resolution of the reported vulnerability. 
  • We’ll acknowledge your efforts and support (if desired) in our software release notes

Acting within the law

Please ensure you act in a lawful manner when interacting with our products, websites, or servers. The following is prohibited. This is not an exhaustive list, and you should always consider the current legislation:

  • Any activity outside of the law.
  • The use of aggressive or invasive automated scanning tools, such as port scanners or vulnerability scanners.
  • Creating server demand which could result in a Denial of Service.
  • Social engineering our customers, staff, or suppliers.
  • Breaching data protection legislation by exposing or accessing the data of customers, staff, or suppliers.
  • Uploading malicious payloads to our products or services.
myenergi