Coordinated Vulnerability Disclosure Policy

At Peblar, we prioritize the security of our products and the safety of our customers.

We acknowledge the valuable role that security researchers and users play in identifying vulnerabilities and are committed to cooperating with the reporting party to promptly address, mitigate, and resolve any discovered vulnerabilities. By responsibly reporting vulnerabilities, we can ensure the continued reliability and integrity of our products and services. This policy applies to any vulnerabilities you are considering reporting to Peblar. We recommend reviewing and complying with our guidelines when submitting a report.

Reporting

If you have discovered a security vulnerability, please notify us as soon as possible by submitting a report using the link below:

Report Vulnerability

Guidelines for reporting vulnerabilities

• Always report the vulnerability to Peblar first.
• Report the issue as soon as possible to prevent malicious parties from discovering and exploiting the vulnerability.
• Do not disclose the discovered vulnerability to others until it has been fully resolved and agreed with Peblar.
• Misusing the discovered vulnerability, by accessing or downloading unnecessary or excessive data, or by modifying or deleting data, is not permitted.
• Do not disrupt or overwhelm Peblar’s systems or services with high volumes of requests which could result in Denial of Service.
• The use of high-intensity invasive or destructive scanning tools to find vulnerabilities is prohibited.
• The reporting party is responsible for their actions and must ensure they act within the law, doing only what is necessary to demonstrate the vulnerability.
• Peblar’s charge points interact with third-party services. Modifying or intercepting communication between the charger and services not managed or controlled by Peblar is strictly excluded from the scope of this CVD policy.

Our Commitment to you

• We will acknowledge receipt of your report within 3 working days and aim to triage it within 10 working days.
• We will handle your report with confidentiality and will not share your personal details without your consent.
• We will provide updates every two weeks and keep you informed of our progress throughout the process.
• Remediation priority is based on the impact, severity, and exploit complexity of the vulnerability. We will notify you once the reported vulnerability has been resolved.
• Once the reported vulnerability has been resolved and as agreed, we will acknowledge you as the discoverer in related communications.
• As a token of our appreciation and at Peblar's discretion, we may offer a reward for reports of previously unknown vulnerabilities, based on the severity of the issue and the quality of the report.
• If you submit your report in accordance with this policy, we will not take legal action against you.

We value and appreciate the efforts of the security community in helping identify and resolve vulnerabilities. By working together, we can ensure the continued security and safety of products and services.

Peblar encourages a responsible and transparent approach to vulnerability disclosure.