Information Security

Vulnerability Disclosure Policy

Purpose

This policy outlines the guidelines and procedures for reporting security vulnerabilities in our systems and applications to us in a responsible and ethical manner. We value the security research community's contributions to helping us identify and address vulnerabilities that could potentially impact the security of our systems and our users' data.

Scope

This policy applies to all individuals who discover or have knowledge of any security vulnerability in our systems, applications, services, or infrastructure, including employees, contractors, security researchers, and members of the public.

Reporting Security Vulnerabilities

If you believe you have discovered a security vulnerability, please report it to us immediately by following these steps:

• Report the Vulnerability: Submit your vulnerability report to our dedicated security email address: security(at)tado.com. Please include the following information in your report:
• A detailed description of the vulnerability, including the steps required to reproduce it.
• The potential impact of the vulnerability, including the types of data that could be affected.
• Any proof-of-concept code or exploit details (if applicable). Your contact information so we can follow up with you.
• Confidentiality: Keep the vulnerability details confidential until we have had a chance to investigate and address the issue. Do not publicly disclose the vulnerability or share it with any third parties without our prior written consent.
• No Exploitation: Do not attempt to exploit the vulnerability or use it to gain unauthorized access to our systems or data. We consider any attempt to exploit a vulnerability to be a serious breach of this policy.

Our Commitment

We are committed to working with you to investigate and address reported vulnerabilities in a timely and responsible manner. We will acknowledge receipt of your report within 2 weeks, and we will keep you informed of the progress of our investigation.

Safe Harbor

We will not take any legal action against individuals who report security vulnerabilities to us in good faith and in accordance with this policy, even if their actions inadvertently cause some disruption to our systems or services.

Prohibited Activities

The following activities are strictly prohibited and may result in legal action:

• Any attempt to exploit a vulnerability for personal gain or malicious purposes.
• Publicly disclosing a vulnerability without our prior written consent.
• Sharing vulnerability details with any third parties without our prior written consent.
• Any actions that could disrupt our systems or services or compromise the security of our users' data.

Policy Updates

We may update this policy from time to time. Any changes will be posted on our website, and we encourage you to review this policy periodically.

Contact Us

If you have any questions about this policy or the vulnerability reporting process, please contact us at security(at)tado.com.

Thank you for helping us keep our systems and users' data secure.

‍