CVD Policy

Coordinated Vulnerability Disclosure (CVD)

Warmup has provided a place for individuals or organisations to responsibly disclose a vulnerability that they have found in any Warmup Wi-Fi connected devices or associated applications. The full CVD Process is described transparently on this page, from the moment of reporting to the resolution of the vulnerability, where Warmup works to develop a solution to the vulnerability.

At Warmup we value the use of a Coordinated Vulnerability Disclosure process in improving the security of our devices. Importantly, Warmup aims to resolve all valid vulnerabilities within 90 days of reporting.

Note: Disclosures to Warmup’s CVD Process must focus on Warmup Wi-Fi connected devices and associated applications only.

Definitions

Vendor: Warmup, the organisation that created or maintains the product that is vulnerable and will take remediation action. 

Finder: Individual or organisation who has found a potential vulnerability.

Vulnerability: Security weakness that can be abused to cause unintended behaviour.

CVD process

This section describes the CVD process, from submission of the vulnerability report to its resolution.

  1. Once a valid vulnerability report is submitted by a Finder, the Finder will receive an acknowledgement email from Warmup that their report has been received. 
  2. Next, Warmup will assess the vulnerability report. The vulnerability is assessed, and either accepted or rejected as to its validity. In either case, the Finder is notified.
  3. If the vulnerability report is assessed as valid, Warmup will begin work to create a resolution. The resolution is prepared and adopted, and the Finder is informed by email of what the resolution is and that it has been made.
  4. Warmup aims to resolve all valid vulnerabilities within 90 days of reporting though it may take longer for complicated fixes.

CVD Legal Notice

As the Warmup Coordinated Vulnerability Disclosure (CVD) Process is designed to benefit the security of Warmup products, Warmup does not warrant or assume any liability for the responsibilities of this process, or “Vulnerability Resolution” outcomes, and any other activities or milestones set forth by Warmup. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.

The vulnerability will be handled in accordance with the Warmup CVD Process. Disclosures to Warmup’s CVD Process must focus on Warmup Wi-Fi connected products and associated applications. Disclosures outside of this scope will not be addressed by Warmup. 

Disclosures to the Warmup CVD Process will not generate any financial compensation for the Finder.

Finder Responsibilities

When submitting a vulnerability report, the Finder (individual or organisation who has found a potential vulnerability) commits to:

  • Only share findings with Warmup using the vulnerability report form.
  • Provide a Proof-of-Concept and/or sufficient information to enable reproduction of the vulnerability. This allows the vulnerability report to be verified and allows possible fixes to be proposed.
  • Submit vulnerabilities pertaining only to Warmup Wi-Fi connected products and associated applications.

Warmup also requests that the Finder undertakes not to disclose the vulnerability with other people until it has been resolved by Warmup, not to use the vulnerability for exploitation beyond the minimum necessary to demonstrate the vulnerability to Warmup, and not to leverage the vulnerability for financial gain. As far as possible, these resolutions will happen within 90 days, when the vulnerability has been assessed as valid, in accordance with Warmup’s CVD process timeframes.

Warmup Responsibilities

Warmup will:

  • Treat submitted reports confidentially. Warmup will not share the Finder’s details with third parties without the Finder’s authorisation, unless legally required to do so. 
  • Accept reports from anonymous Finders. However, Finders engaging anonymously accept that Warmup may be unable to contact them on topics concerning but not limited to: the vulnerability, progress towards resolution of the vulnerability, publication of the vulnerability.
  • Acknowledge the vulnerability report submitted by the Finder within 7 days of its submission, if the Finder is not anonymous.
  • Keep the Finder updated of progress throughout the process, except when this is not possible due to the Finder engaging anonymously.
  • Aim to resolve valid vulnerabilities within 90 days. However, there may be times where fast resolution or any resolution is not a possible option, for a variety of reasons.

Report a Vulnerability

Link to statements of compliance                 

Link to 6iE Statement of Compliance

Link to 6iE mini Statement of Compliance

Link to Element Statement of Compliance

Find Out More

We’re happy to answer all your questions about Warmup’s wide range of underfloor heating systems and thermostats.

Get a full water underfloor heating quote in under 30 seconds

Try Warmup Pro Hydro today


Get a Water Quote

Quoting Tools: instant, accurate, flexible

Warmup offers an extensive range of electric and water floor systems compatible with all floor types, rooms and projects.

Electric Systems

  • ✓ Ideal for zones less than 25m²
  • ✓ Ideal for single rooms
  • ✓ Does not alter floor levels
  • ✓ Great for renovations

Electric Systems Quote
Thumbnail [200x250]

 

Water Systems

  • ✓ Ideal for larger zones over 25m²
  • ✓ Rapid auto heat loss calculations
  • ✓ Compatible with existing central heating systems
  • ✓ Great for new-builds

Thumbnail [200x250]

 

Projects Division Consultation

  • ✓ Bespoke heating solutions for new-build projects and larger renovations
  • ✓ Dedicated team to work with you
  • ✓ World-class expertise in R&D, building regulations and energy performance
  • ✓ Detailed system layouts for each stage of the project

Get In Touch with Warmup’s Projects Division
Thumbnail [200x250]
For areas of 24m2 or more, use our full quoting system
Scroll to Top