Security

Vulnerability Disclosure Policy

Last updated: 15 April 2026

1. Summary (TL;DR)

If you believe you have found a security vulnerability in a BlackIoT product, firmware, reference design, or website, email security@blackiot.swiss with details. We will acknowledge within 3 working days, triage within 10 working days, and coordinate public disclosure once a fix or mitigation is available. Research conducted in good faith within the scope below is welcomed and protected by safe-harbor terms.

2. Reference framework

  • ISO/IEC 29147:2018 — Vulnerability disclosure.
  • ISO/IEC 30111:2019 — Vulnerability handling processes.
  • RFC 9116security.txt (/.well-known/security.txt).
  • Regulation (EU) 2024/2847 — Cyber Resilience Act, Annex I Section 2 (vulnerability handling and coordinated disclosure).
  • Directive (EU) 2022/2555 (NIS 2) — coordinated vulnerability disclosure policy at Member-State level.

3. Scope

In-scope assets:

  • All open-source firmware and reference designs published by BlackIoT (including the Polverine repository).
  • BlackIoT products placed on the market (WildBay, Vallarta, BlackMoon, Polverine, Mayreau, PortRoyal MKR, Havana MKR, Martinica MKR, and their MKR evaluation variants).
  • The www.blackiot.swiss website and supporting infrastructure operated by BlackIoT.

Out of scope:

  • Third-party hosting infrastructure, SaaS platforms, or shared services not operated by BlackIoT.
  • Social-engineering attacks against BlackIoT personnel or clients.
  • Denial-of-service testing against production systems.
  • Physical attacks, theft, or unauthorized access to BlackIoT premises.
  • Vulnerabilities in end-of-life products for which support has been formally discontinued.

4. How to report

Send your report to security@blackiot.swiss. Please include:

  • Affected product, firmware version, or URL.
  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce, proof-of-concept code or screenshots where helpful.
  • Your name or handle and whether you would like public acknowledgement.

We accept reports in English, Italian, French, or German.

5. What we commit to

  • Acknowledge receipt of your report within 3 working days.
  • Triage and confirm within 10 working days; we will communicate severity and anticipated remediation timeline.
  • Keep you informed of material progress.
  • Coordinate public disclosure after a fix, mitigation, or advisory is available — typically within 90 days of triage, extendable by mutual agreement for complex supply-chain issues.
  • Credit the reporter in the advisory and release notes unless you prefer to remain anonymous.
  • Notify ENISA and designated CSIRTs on the CRA cadence (24 h / 72 h / 14 d) when an actively exploited vulnerability is identified in an in-scope product placed on the EU market.
BlackIoT coordinated vulnerability disclosure timeline: report received at security@blackiot.swiss at T0, acknowledgement within 3 working days, triage and CVSS v3.1 severity scoring within 10 working days, coordinated public disclosure typically within 90 days with reporter credit. When the vulnerability is actively exploited in a product placed on the EU market, an escalation branch triggers the CRA Article 14 cadence of 24 hours, 72 hours, and 14 days to ENISA and the designated national CSIRT.
Fig. — The BlackIoT coordinated-disclosure flow. Reports are triaged against CVSS v3.1; if a vulnerability is actively exploited in an EU-marketed product, the CRA 24 h / 72 h / 14 d cadence to ENISA is triggered in parallel with the standard remediation and disclosure path.

6. Safe harbor

BlackIoT will not initiate civil action or file a criminal complaint against you, and will ask authorities to halt any such action in progress, for security research that is:

  • Conducted in good faith against in-scope assets;
  • Limited in scope and duration to what is necessary to confirm and report the vulnerability;
  • Non-destructive — no data exfiltration, no modification of other users' data, no denial of service;
  • Consistent with applicable law in your jurisdiction and in Switzerland.

Safe harbor does not override your obligation to comply with mandatory statutory rules (e.g., personal-data protection law), and does not authorize access to third-party systems.

7. What we ask of you

  • Give us reasonable time to remediate before any public disclosure.
  • Do not access, modify, or exfiltrate data belonging to others; if you inadvertently encounter such data, stop and notify us.
  • Do not perform attacks that degrade availability (DoS) or data integrity.
  • Do not attempt to pivot from a confirmed vulnerability into further exploitation.

8. Reward

We do not currently operate a paid bug-bounty program. We issue written acknowledgements and, where appropriate, public credit in product advisories and release notes.

9. PGP / signing

A PGP key for security@blackiot.swiss is available on request. Please email us if you need to encrypt a sensitive report and we will reply with the key.

10. Contact and authority

Security reports: security@blackiot.swiss. General inquiries: info@blackiot.swiss.

This policy is issued by BlackIoT Sagl (CHE-192.005.916), Via Stefano Franscini 2A, 6833 Vacallo, Switzerland.