Vulnerability Disclosure Policy


The VEVA range of EV car chargers utilise the best security and message encryption technologies to keep your charger and data safe. However, new threats to cyber security are exposed all the time. To stay ahead of potential threats to the VEVA charger and keep the product safe, we welcome reports from customers or the wider security research community if any security vulnerability is suspected with the VEVA product.

This Vulnerability Disclosure Policy details how to report a suspected vulnerability and applies to any vulnerabilities you are considering reporting to us. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always act in compliance with it.

We value those who take the time and effort to report security vulnerabilities.
However, we do not offer monetary rewards for vulnerability disclosures.

Reporting

If you believe you have found a security vulnerability, please submit a report to us using the following link:

security@vevacharger.com

In your report, please include details of:


• the type of vulnerability discovered
• a brief description of the type of vulnerability
• the product affected e.g., VEVA charger, VEVA app or website
• how the vulnerability was discovered and steps required to reproduce it

What to expect


After you have submitted your report, we will respond to you as soon as possible.
We'll also aim to keep you informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to address.

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Guidance


You must ensure you act in a lawful manner.

Please do NOT:

• break any applicable law or regulations
• use high-intensity invasive or destructive scanning tools to find vulnerabilities
• attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests
• disrupt our services or systems
• social engineer, 'phish' or physically attack our staff or infrastructure
• demand financial compensation in order to disclose any vulnerabilities

You must:


• always comply with data protection rules and must not violate the privacy of our users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from any system or service.

• delete any and all data retrieved during your research.

Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us or partner organisations to be in breach of any legal obligations.