NIBE Group is committed to safeguarding and protecting our customers, our information and any other information entrusted to us.

This means we take cyber security issues very seriously and recognize the importance of privacy, security, and community outreach. As such, we are committed to addressing and reporting security issues through a coordinated and constructive approach; designed to drive the greatest protection for technology users and protection of information relating to our company, customers, consumers and employees.

When properly notified of legitimate issues, we will do our best to acknowledge your vulnerability report, assign resources to investigate the issue and solve potential problems as quickly as possible. Whether you are a user of NIBE Group products, a software developer or simply a security enthusiast, you are an important part of this process.

If you believe you have discovered a vulnerability in a NIBE Group asset / system or have a security incident to report, please send an email to vulnerability@nibegroup.com.

In all cases, you must:

• Respect our privacy. Contact us immediately if you access anyone else’s data, personal or of any other kind. This includes usernames, passwords and other credentials. You must not save, store or transmit this information.
• Act in good faith. You should report the vulnerability to us with no conditions attached.
• Work with us. Promptly report any findings to us, stop after you find the first vulnerability and request permission to continue testing. Allow us a reasonable amount of time to resolve the vulnerability before publicly disclosing it.

And you must not:

• Exfiltrate data. Instead use a proof of concept to demonstrate a vulnerability.
• Exploit a vulnerability to disable further security controls.
• Perform social engineering.
• Use automated scanners.

Please note that there is a separate procedure for reporting incidents that include personal data (personal data breaches). For more information, see NIBE’s Privacy Policy.

Upon receipt of a vulnerability / security report, NIBE will undertake a series of steps to address the issue:

1. NIBE Group requests the reporter to keep any communication regarding the vulnerability confidential.
2. NIBE Group investigates and verifies the vulnerability.
3. NIBE Group addresses the vulnerability and releases an update or patch to the software. If for some reason this cannot be done quickly or at all, NIBE will provide information on recommended mitigations.
4. NIBE Group will keep the reporter informed of the progress with an initial acknowledgment within 5 business days of receipt and with an aim to provide subsequent status updates on a monthly basis.
5. After a resolution has been published, NIBE Group will determine whether the vulnerability reporter is entitled to receive a reward or bounty for the finding.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services and better protect our customers. Thank you for working with us through the above process.