Vulnerability Disclosure Policy

1. Introduction

At SwitchDin, the security of our distributed energy orchestration platform and our "Droplet" edge devices is our highest priority. We appreciate the work of the security research community and encourage the responsible reporting of any vulnerabilities found in our ecosystem.

This policy outlines the steps for reporting vulnerabilities and what you can expect from us in return.

2. Scope

This policy applies to:

  • Hardware: SwitchDin Droplet gateway devices (including Droplet software).

  • Software/Cloud: The SwitchDin Stormcloud platform, associated APIs, and mobile applications.

Out of Scope:

  • Physical attacks against SwitchDin facilities or hardware.

  • Denial of Service (DoS/DDoS) testing.

  • Social engineering or phishing of SwitchDin employees or customers.

  • Third-party integrations not authored by SwitchDin.

3. How to Report

Please submit vulnerability reports to security+vdp@switchdin.com.

To help us triage your report, please include:

  • A detailed description of the vulnerability.

  • Steps to reproduce (Proof of Concept).

  • The potential impact if exploited.

  • The firmware version or URL involved.

4. Our Commitment (Response Timelines)

In compliance with Australian consumer smart device standards, SwitchDin commits to the following:

  • Acknowledgment: We will acknowledge receipt of your report within five (5) business days.

  • Status Updates: We will provide an initial assessment and a subsequent status update every four weeks until the issue is resolved.

  • Remediation: We prioritise vulnerabilities based on severity (CVSS) and will work to resolve confirmed issues as quickly as possible.

5. Guidelines for Research

To qualify for "Safe Harbor" (see Section 6), we ask that you:

  • Do not access, modify, or delete data belonging to SwitchDin or SwitchDin customers.

  • Do not interrupt or degrade SwitchDin services.

  • Give us a reasonable timeframe to remediate the issue before any public disclosure.

6. Safe Harbor / Legal Terms

SwitchDin will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy. We consider research conducted under these guidelines to be "authorised" access under the context of relevant Australian cybercrime legislation.

7. Recognition & Rewards

SwitchDin does not operate a paid "Bug Bounty" program. We do not offer financial rewards or "swag" for vulnerability reports. However, with your permission, we are happy to provide:

  • A formal letter of appreciation.

  • Public acknowledgment on our Vulnerability Disclosure Hall of Fame (see below).

8. Vulnerability Disclosure Hall of Fame

Below are the names or aliases of people who given their consent to have their contribution to our vulnerability disclosure program published:
To be updated soon.