Security and Vulnerabilities
Background
At myenergi we care about ensuring our products are safe and secure whilst they operate in your home. Your myenergi products include security features that protect your device against evolving cyber threats.
New cyber threats are discovered across the world every day, so it is important you keep your myenergi device up to date with the latest firmware to ensure you benefit from the latest quality and security updates. To see the latest firmware version and release notes, see our support pages at Current firmware versions / updating your firmware – Help Centre GB (myenergi.com).
The myenergi system is designed to be reliable, secure and to keep your data confidential. This ensures your product performs in a reliable and safe way, to protect you, your home, and the energy grid from damage.
Vulnerability Disclosure Policy
myenergi recognises the role that the security community and our customers play in keeping our products and all our customers safe. We welcome reports from customers or security researchers, if a suspected security vulnerability is discovered in our products, software, or servers.
We value the time and the effort involved in reporting vulnerabilities to us, however we do not offer monetary rewards (sometimes referred to as ‘bug bounties’) for discovered vulnerabilities.
For the safety and security of our products and customers, myenergi does not disclose information relating to security vulnerabilities until a suitable fix has been implemented.
Product Security and Telecommunications Infrastructure (PSTI) (UK devices only)
This policy has been updated to meet our obligation under the UK’s Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI) to provide information to consumers on how to report security issues that affect the relevant internet and network connectable products we manufacture.
PSTI came into force on 29th April 2024 and affects three of the products we manufacture, but only if they are to be used in the UK. Our PSTI statement of compliance is published on our Compliance and Document Centre web page along with all the other compliance documents for our products.
Reporting a vulnerability or product security issue
When you report a vulnerability or security issue, we will send you an acknowledgement within 7 calendar days and provide you with a status update within 21 days and at reasonable periods thereafter until the resolution of the reported issue. Our responses will be in English and free of charge. We shouldn’t need to collect your personal data, but you will need to provide an email address if you wish to receive updates.
You can report a vulnerability or security issue to us using the link below.
When making your report please provide us with as much relevant information about the vulnerability or security issue as possible.
- Email address (optional)
- The nature of the vulnerability
- Product and/ or model affected
- Serial number(s) (if applicable)
- Firmware version(s) or App Version(s) you suspect to be vulnerable (If applicable)
- The location the vulnerability was discovered and the potential impact of exploitation
- Steps taken to discover / identify the vulnerability (scripts or screen shots are helpful)
- Is there a known Common Vulnerability and Exposure (CVE) for this issue? (See Common Vulnerabilities and Exposures at CVE – CVE (mitre.org))
- System / network topography (if applicable)
- Any other supporting information
Our commitment to you:
- We’re grateful for the support from the security research community. We will not take legal action against you for disclosing a vulnerability with us
- We’ll investigate your report and take action in a reasonable timeframe and keep you informed until the resolution of the reported vulnerability.
- We’ll acknowledge your efforts and support (if desired) in our software release notes
Acting within the law
Please ensure you act in a lawful manner when interacting with our products, websites, or servers. The following is prohibited. This is not an exhaustive list, and you should always consider the current legislation:
- Any activity outside of the law.
- The use of aggressive or invasive automated scanning tools, such as port scanners or vulnerability scanners.
- Creating server demand which could result in a Denial of Service.
- Social engineering our customers, staff, or suppliers.
- Breaching data protection legislation by exposing or accessing the data of customers, staff, or suppliers.
- Uploading malicious payloads to our products or services.