Coordinated Vulnerability Disclosure
Found a security issue in a Hydroko product? Thank you. We work with researchers, customers and partners to receive reports, investigate them quickly and ship fixes — for the entire support period of every product we put on the market.
Single point of contact
For all security vulnerabilities affecting Hydroko products or services, please contact our security team directly. We treat every report as confidential and follow up personally.
What this policy covers
This policy is Hydroko’s public Coordinated Vulnerability Disclosure (CVD) commitment. It applies to all current and supported Hydroko products and the services that operate them.
| Asset | Status | Notes |
|---|---|---|
| PiaBox (all hardware revisions and firmware versions in support) | In scope | Application firmware, bootloader, secure-element firmware, wM-Bus and NB-IoT protocol stacks. |
| HydroSense cloud platform & APIs | In scope | The HydroSense back-end, customer portal and device-facing APIs. |
| hydroko.com and piabox.eu | In scope | Public marketing and product-information sites. |
| Third-party components inside our products (e.g. Silicon Labs SDK, Quectel BC660, Kamstrup meter) |
In scope | We accept reports and coordinate with upstream vendors via their PSIRT channels. |
| End-of-life products outside the documented support period | Out of scope | We may still triage critical issues — please contact us first. |
| Social engineering, denial-of-service, physical theft, spam reports | Out of scope | Please do not test these against Hydroko, our staff or our customers. |
How to submit a report
What to include
- A clear description of the issue and its potential impact.
- For hardware, the affected product with serial number.
- For software, the URL.
- Steps to reproduce, proof-of-concept code or screenshots if available.
- Your assessment of severity and the conditions required to exploit.
- Whether you would like to be credited, and under which name.
How to reach us
Email: security@hydroko.com
PGP: See key below (recommended for sensitive details)
Postal: Hydroko NV, attn. Security Team — see hydroko.com for the registered address.
If you have not received an acknowledgment within 5 business days, please re-send your message; it may have been filtered.
Our commitment to you (safe-harbor)
If you report in good faith, we will
- Acknowledge receipt within 5 business days.
- Keep you informed about progress, fixes and disclosure timing.
- Credit you in the published advisory if you wish.
- Not take or support legal action against you, provided you comply with the rules of engagement below.
We ask researchers to
- Give us a reasonable opportunity to investigate and remediate before any public disclosure.
- Make a good-faith effort to avoid privacy violations, data destruction, and disruption of our services or customers.
- Only interact with accounts and devices you own or for which you have explicit permission from the owner.
- Not exfiltrate or retain personal data, and delete any data inadvertently obtained.
- Comply with all applicable laws.
Severe or actively exploited vulnerabilities
For vulnerabilities that are actively being exploited against Hydroko products in the field, we follow the early-warning and notification obligations of CRA Article 14:
- Within 24 hours of becoming aware: early warning to ENISA and the relevant national CSIRT.
- Within 72 hours: full incident notification.
- Without undue delay: notification to affected users with corrective measures they can take.
If you believe you have observed exploitation in the wild, please flag this clearly at the top of your email and we will treat the report with priority.
PGP key
For encrypted communication with the Hydroko security team, use the public key below.
Key ID: C019E99C · Fingerprint: 6486 5DFF D94E 2F6A BB62 433D 8F0A 9C4E C019 E99C
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEahhJzxYJKwYBBAHaRw8BAQdA3QwG51AM/juExMb3iTPb9quPvtapbtiU+erp YvI8mHy0NUh5ZHJva28gc2VjdXJpdHkgY29udGFjdCBwb2ludCA8c2VjdXJpdHlA aHlkcm9rby5jb20+iLIEExYKAFoWIQRkhl3/2U4vartiQz2PCpxOwBnpnAUCahhJ zxsUgAAAAAAEAA5tYW51MiwyLjUrMS4xMiwwLDMCGwMFCQeGHu0FCwkIBwIGFQoJ CAsCBBYCAwECHgECF4AACgkQjwqcTsAZ6Zy2zwD+Ltb1BZhK+z5dsMO7m9OMtVnh ZWhUD2yzOWfhddcq8vQA/25HgskJ4GpiQFxGvIj1AGn290o3BZ5hFMocHSF9lKoA uDgEahhJzxIKKwYBBAGXVQEFAQEHQIXum42//2kxJxvIbX3ZoPHNOHFOwNKhCrhW 4pfmvCt9AwEIB4iaBBgWCgBCFiEEZIZd/9lOL2q7YkM9jwqcTsAZ6ZwFAmoYSc8b FIAAAAAABAAObWFudTIsMi41KzEuMTIsMCwzAhsMBQkHhh7tAAoJEI8KnE7AGemc Sh0BAOQ1ahmHEBuMwon2fAC980YjZyvQVJe7wY0oWfeJ2AO7AQCDStAaDa5iaIoh O+/oDJ8rgh9kX1Be0DhPafIMxaGzAQ== =cHWd -----END PGP PUBLIC KEY BLOCK-----
The key is also available at well-known locations such as https://hydroko.com/.well-known/security.txt and on public keyservers.
security.txt
In line with RFC 9116, Hydroko publishes a
machine-readable security.txt at https://hydroko.com/.well-known/security.txt:
Contact: mailto:security@hydroko.com Expires: 2027-05-26T00:00:00.000Z Encryption: https://hydroko.com/.well-known/pgp-key-hydroko.txt Preferred-Languages: en, nl, fr Canonical: https://hydroko.com/.well-known/security.txt Policy: https://hydroko.com/security/
Legal & governing law
This policy is a public statement of intent and does not create any contractual or legal obligation beyond what is mandated by applicable law. It is governed by the laws of Belgium, where Hydroko NV is registered. Disputes arising from or relating to this policy are subject to the exclusive jurisdiction of the courts of the registered seat of Hydroko NV, without prejudice to any mandatory provisions of consumer or data-protection law.
This page does not constitute a bug-bounty program. We do not offer monetary rewards at this time, but we will gladly credit reporters who wish to be acknowledged.