At CEDAR, we prioritize the security and integrity of our systems and the privacy of our users. We recognize the important role that a wide range of security researchers, including hobbyists and private individuals, play in helping to identify vulnerabilities and improve the overall security of it systems. This policy outlines the terms under which security research may be conducted in good faith on our systems.

Do you have any questions or comments regarding this policy please contact us at security@cedar-heat.dk.

0. Before You Begin

Before conducting any security research on our systems, we encourage you to contact us at security@cedar-heat.dk to inform us about the scope of your intended testing. While not required, this ensures your activities are aligned with our goals and minimizes the risk of unintentional disruption to our services.

1. Good Faith Requirement

We require that all security testing is conducted in good faith — acting responsibly, ethically, and with the intention of improving the security of our systems. As part of this, you are required to fully disclose all vulnerabilities, exploits, or other findings to us, even if they seem minor. Any actions that are overly intrusive, violate user privacy, or suggest malicious intent will be considered a breach of this policy. If we determine that your testing does not meet these standards, or if you fail to disclose all findings, we reserve the right to revoke any authorization and pursue appropriate legal remedies.

2. Scope of Allowed Testing

You are authorized to test our publicly available systems for vulnerabilities, as long as you adhere to the following guidelines:

• Your actions must not degrade, interrupt, or harm the performance, availability, or functionality of our systems or services.
• You must not attempt to modify user data or configuration data that do not belong to you, unless you have prior written consent from the user in question.
• You must not execute denial-of-service attacks, brute force, introduce malware, or attempt to compromise the physical security of our infrastructure.
• You must not conduct social engineering (e.g., phishing) or any other form of unauthorized exploitation targeting our employees or users.

3. Identification and Transparency

We welcome contributions from all types of researchers, including hobbyists and private individuals. To foster trust and ensure smooth communication:

• Provide accurate and complete contact information during communications with our team.
• Never obfuscate, mask, or hide your identity during testing or when reporting vulnerabilities.
• Cooperate fully if we request that you stop testing or if further clarification is needed during or after the engagement.

4. Guidelines for Reporting Vulnerabilities

To ensure responsible reporting and handling of vulnerabilities:

• Immediately report any identified vulnerabilities to us at security@cedar-heat.dk before making any public disclosures.
• Provide sufficient details, including steps to replicate the vulnerability and the potential impact, so we can reproduce and address the issue.
• Allow us a reasonable timeframe to investigate and resolve the issue before making any information public. We aim to acknowledge receipt of your report within 2 business days and strive to resolve issues within 10 business days.

5. Legal Protections

As long as your research complies with this Responsible Disclosure Policy and is conducted without malicious intent:

• We will not contact law enforcement,
• We will not pursue legal action against you.

While public acknowledgment or rewards are at our discretion, we greatly appreciate all contributions and may offer recognition for significant findings.

6. Cease and Desist

If at any point CEDAR requests that you stop testing or the policy changes, you must comply immediately and halt all further activities.

Please note that CEDAR reserves the right to modify or update this policy at any time, without prior notice. You can se the data for the latest change to this policy at the bottom of this page.

7. Publishing Security Research

We understand that publishing security research is important to the broader security community and publishing your results is part of that reseach. However, to ensure responsible disclosure and resolution, we ask that:

• You do not publish any details of the vulnerability, including blogs, social media posts, or other publications, until we have had a reasonable opportunity to respond and address the issue. We will work with you to establish a timeline for public disclosure based on the severity and complexity of the vulnerability.
• You allow us to review and comment on your publication before it goes live.
• You include our public response with your final publication. This ensures accurate representation of our response and actions.
• In cases where we are actively working on resolving the issue and a fix is in progress, we may request a reasonable extension of the disclosure timeline to ensure proper remediation.

8. Final Notes

By participating in our Responsible Disclosure Program, you agree to act ethically and responsibly, aiming to enhance the security of CEDAR’s systems without causing harm to our company, customers, or stakeholders. While we do not operate a formal bug bounty program, we deeply value the efforts of everyone who contributes to improving the security of our systems. We may acknowledge researchers through public recognition or other forms of appreciation for significant contributions.

We welcome feedback and suggestions for improving this Responsible Disclosure Policy. If you believe there are areas where the policy can be enhanced or clarified, please feel free to reach out to us at security@cedar-heat.dk. We regularly review and update our policies to reflect the evolving landscape of security research, and your input helps us ensure the policy remains fair, clear, and aligned with the latest best practices.

Thank you for helping us create a safer and more secure environment for our users!

Latest update: 2024-10-15