Vulnerability Disclosure Policy
VDP
Last updated: April 15, 2026
1. Purpose
Cold Electric (hereinafter referred to as "the Company") is committed to ensuring the security of our products and services. We value feedback from the security research community and users, and welcome good-faith vulnerability reports.
This policy provides clear channels and procedures for vulnerability disclosure, ensuring that security issues are addressed promptly and effectively to protect our customers and their assets.
2. Scope
This policy applies to the following products and services:
- Firmware and software of energy storage system products including Cold ZERO, Cold OG, and Cold OG2
- Control software for microgrid and grid-connected energy storage systems
- HMI (Human-Machine Interface) systems
- BMS (Battery Management System) communication interfaces
- Company-operated websites (coldelectric.com) and related online services
If you are unsure whether your finding falls within this scope, please contact us and we will assist in making that determination.
3. Vulnerability Definition
A "security vulnerability" under this policy refers to a technical weakness that may result in:
- Unauthorized access to systems or data
- Exposure of personal data or sensitive information
- Service disruption or system anomalies
- Bypass of security control mechanisms
- Remote code execution
- Privilege escalation
- Other technical defects or security vulnerabilities that the Company determines are sufficient to affect the confidentiality, integrity, or availability of information systems, products, equipment, or information assets.
4. Reporting Channel
If you discover a potential security vulnerability, please report it through the following channel:
To protect the confidentiality of your report, we recommend using encrypted email or transmitting via TLS-encrypted connections.
If the vulnerability involves a major cybersecurity incident as defined by the Cybersecurity Management Act, the company will simultaneously initiate the statutory notification procedures.
5. Report Contents
To expedite vulnerability analysis and response, please include the following information in your report:
- Vulnerability description: A detailed explanation of the issue
- Affected product: Product name, model, and version
- Reproduction steps: Specific steps to reproduce the vulnerability
- Impact assessment: Your preliminary evaluation of potential impact
- Proof of Concept (PoC): If available, please provide verification code or screenshots
- Contact information: Your name (or pseudonym) and contact details
6. Handling Process
Upon receiving a vulnerability report, the Company will follow this process:
Acknowledgment
We will confirm receipt of the report within 5 business days and provide a case reference number.
Initial Assessment
A dedicated team will verify the vulnerability and assess its impact. Preliminary results will be communicated within 10 business days.
Remediation
Once confirmed, remediation work begins immediately. The timeline depends on the severity and technical complexity of the vulnerability.
Patch Release
After remediation, patches will be distributed via firmware or system updates.
Case Closure
The reporter will be notified of the resolution, and public disclosure will be made at the appropriate time.
7. Public Disclosure
The Company will disclose vulnerability information based on the following principles:
- Public disclosure occurs only after remediation is complete and patches have been released
- Prior to disclosure, we will communicate fully with the reporter to agree on content and timing
- Disclosure will include a vulnerability summary, affected scope, remediation details, and acknowledgment
- If consensus on timing cannot be reached, the Company will generally disclose within 90 days after remediation
8. Safe Harbor
The Company commits to the following protections for good-faith reporters:
- We will not initiate criminal or civil proceedings against individuals conducting bona fide security research in accordance with this policy. However, if the research conducted by the notifying party involves harm to the public interest or violates a non-prosecutorial offense under the Criminal Code (such as Article 362, the crime of damaging electromagnetic records) or other mandatory legal provisions, our company will cooperate with the competent authorities in accordance with the law.
- We will not impose adverse consequences on reporters for good-faith vulnerability submissions
- We will work collaboratively with reporters to understand and resolve security issues
Our company is committed to protecting those who report in good faith. "Good faith" as used in this policy means that research and reporting activities must simultaneously meet the following requirements:
Legitimate Purpose
Research activities are limited to discovering, verifying, and reporting security vulnerabilities, and are not for the purpose of obtaining illicit gains, damaging the company's reputation, or engaging in unfair competition.
Minimization of Damage
During vulnerability verification, the "minimum necessary actions" must be taken. Stress tests, distributed denial-of-service (DDoS) attacks, or any tests that may interfere with energy storage system scheduling and energy supply stability are strictly prohibited.
Respect for Privacy
If, during the verification process, you accidentally come into contact with or obtain others' personal data or company business secrets, you must immediately cease operations and must not store, copy, modify, distribute, or use such information. You must proactively disclose this information in your report.
Procedural Compliance
Strictly adhere to the provisions of Article 9 (Precautions) of this policy, and do not disclose vulnerability details to any third party or publish them on public platforms before the vulnerability is patched.
Acting in Accordance with the Law
The research activities do not constitute a non-prosecution offense under the Criminal Code regarding damage to computer systems or obstruction of computer use.
For researchers who meet the above principles of good faith, our company promises not to pursue criminal prosecution or civil claims against them.
9. Reporter Guidelines
To protect the interests of all parties, reporters should observe the following:
- Do not publicly disclose vulnerability details without the Company's consent
- Do not access or modify other users' data
- Do not conduct tests that may impact service availability (e.g., DoS attacks)
- Do not exploit vulnerabilities for unauthorized activities
- Comply with all applicable laws and regulations