clear combination
active combination
back to configurator

Nanotec Vulnerability Disclosure Policy

Introduction

Nanotec Electronic GmbH & Co. KG welcomes reports from security researchers and the public to help improve the security of our systems. If you believe you have identified a vulnerability, privacy issue, exposed data, or another security weakness in one of our assets, please let us know.

Systems in Scope

This policy applies to digital assets owned, operated, or maintained by Nanotec Electronic GmbH & Co. KG, including, for example, Plug & Drive Studio, NanoLib, and Controller Firmware.

Out of Scope

Assets, systems, or equipment not owned or operated by Nanotec are out of scope. Issues affecting third-party systems should be reported to the relevant vendor or responsible party.

Our Commitments

  • We will review your report promptly and work with you to understand and validate it.
  • We will try to keep you informed about the progress of the report.
  • We will work to remediate confirmed vulnerabilities within reasonable operational constraints.
  • We will apply Safe Harbor to security research conducted in accordance with this policy.

Our Expectations

  • Follow this policy and any other applicable agreements.
  • Report vulnerabilities promptly and provide enough detail for validation and triage.
  • Avoid violating privacy, disrupting systems, destroying data, or harming user experience.
  • Use only the official reporting channel to communicate vulnerability information.
  • Allow us a reasonable time to resolve the issue before public disclosure, at least 90 days from the initial report.
  • Test only in-scope systems and respect out-of-scope systems and activities.
  • If a vulnerability provides unintended access to data, limit access to the minimum required to demonstrate the issue and stop testing immediately if you encounter personal, confidential, medical, payment, or other sensitive data.
  • Interact only with test accounts you own or are explicitly authorized to use.
  • Refrain from conducting or attempting: DDoS attacks, brute-force attacks, social engineering, spam, bot activity, or mass registration against our systems or users.

Ineligible Reports

The following are generally not considered valid vulnerability reports:

  • Login issues or password problems without a demonstrable security vulnerability
  • Spelling mistakes, cosmetic issues, or HTTP 404 pages
  • Spam, suspected fraud activity, bots, or mass registration without a concrete technical security weakness
  • Use of a publicly known vulnerable or broken library without evidence of actual exploitability in our environment
  • Reports based only on automated tools or scans without sufficient explanation, validation, and a clear security impact

Official Channel

Please report security issues via the following email address. The more relevant detail you provide, the easier it is for us to assess and address the issue.

[email protected]

To help us process your report efficiently, please include:

  • The affected webpage, URL, system, or product
  • A brief description of the vulnerability type, for example “XSS” or “SQL Injection”
  • Clear steps to reproduce using a benign, non-destructive proof of concept
  • Any useful technical context, such as parameters, affected versions, request examples, or screenshots

Safe Harbor

If you act in accordance with this policy, Nanotec considers your security research authorized under applicable anti-hacking and anti-circumvention laws and will not initiate or support legal action for accidental, good-faith violations of this policy.

We also waive, on a limited basis, restrictions in our Terms of Service or Acceptable Use Policy to the extent they would interfere with security research performed under this policy.

You are still expected to comply with applicable law. If a third party initiates legal action and you have complied with this policy, we will make it known that your actions were consistent with this policy.:

If you are unsure whether planned testing is consistent with this policy, contact us through the official channel before proceeding. Safe Harbor applies only to claims under Nanotec’s control and does not bind independent third parties.