Coordinated Vulnerability Disclosure (CVD) Policy
Last updated on July 2026
At inepro B.V., the security of our digital products, systems, and our customers' data is our highest priority. Despite our continuous efforts to maintain strong security, vulnerabilities can sometimes occur.
In compliance with the European Cyber Resilience Act (CRA) and relevant international standards, we encourage customers, users, partners, distributors, importers, suppliers, and independent security researchers to report suspected cybersecurity vulnerabilities affecting inepro products in a responsible manner. We value your cooperation and aim to work with reporters to improve our security.
What we ask of you
- Report your findings as soon as possible via email to the specific security address listed in the security.txt file of the domain where you discovered the vulnerability:
- Use our public PGP key inepro_Security_0x95AAFBF0921B97F2_public.txt to encrypt your communication when sending sensitive information.
- Do not exploit the vulnerability. Do not perform actions beyond what is strictly necessary to demonstrate the issue (e.g., do not download, modify, or delete any data).
- Do not share the vulnerability with third parties until the issue has been resolved. The timing, coordination, and specific content of any public disclosure must be explicitly aligned and mutually agreed upon with our security team in advance.
- Avoid destructive testing methods. The use of Denial of Service (DoS/DDoS) attacks, brute force attacks, social engineering, or physical security breaches is explicitly prohibited.
What you can expect from us
In accordance with the statutory requirements and principles of Regulation (EU) 2024/2847 (the Cyber Resilience Act) and the international standards ISO/IEC 29147 (Vulnerability Disclosure), and ISO/IEC 30111 (Vulnerability Handling Processes), we handle all reports through a structured compliance procedure:
- Acknowledgment: We will confirm receipt of your report without undue delay.
- Remediation: Validated vulnerabilities will be resolved with a security update or mitigation, delivered without undue delay.
- Coordination: We will coordinate public disclosure timelines with you and fulfill our mandatory 24-hour reporting obligations to European cybersecurity authorities (ENISA/CSIRTs) if the vulnerability is actively exploited.
- Recognition: To show our appreciation for your assistance, we offer appropriate recognition (such as a mention or a token of appreciation) for unique, previously unknown vulnerabilities reported in compliance with this policy.
Safe Harbor Guarantee
If you follow the guidelines outlined above during your research, we will not take any civil or criminal legal action against you. We will handle your report with strict confidentiality and will not share your personal information with third parties without your explicit consent, unless required by law.