Security and Compliance

Responsible Disclosure Policy

Overview

This document provides an overview of the responsible disclosure program at Xeal, also known as a ‘bug bounty’ program. Xeal supports and rewards security researchers acting in good faith to help us improve the security of our products and services through responsible disclosure, provided those disclosures are made in accordance with the terms and conditions in this policy. 

Before submitting any finding to this program, you must read and understand the contents of this policy fully.

In return, Xeal offers compensation based on our internal assessment of the severity of any discovered issue.

Scope

The Xeal bug bounty program applies only to Xeal software - it does not apply to any Xeal hardware. The reason for this is twofold: 1) Simply put, safety - like all EV charging equipment, Xeal chargers contain high-voltage circuits. Attempting to gain physical access to charger hardware, especially if the charger is powered on, is extremely dangerous, and can damage both the charger and the person doing the tinkering!

2) Xeal works with a leading specialized hardware penetration testing company, and has internal hardware penetration testing resources focused on this area.

Given this, the following Xeal software products are in scope:

• The Xeal Mobile applications, on Android and iOS.

  • Android: https://play.google.com/store/apps/details?id=com.xealenergy.android.xealnfc&hl=en_US&gl=US

• iOS: https://apps.apple.com/us/app/xeal-ev-charging/id1552856268

• The backend API’s used by the mobile applications on a *.xealenergy.com domain.

• The Xeal marketing site: www.xealenergy.com.

• Any publicly exposed infrastructure elements that support Xeal’s product or business operations, for example, AWS public S3 buckets - if the contents of those buckets should not be public.

Absolutely not in scope:

• Hardware vulnerabilities.

• Third party business applications leveraged by Xeal.

• Non-production environments, unless their vulnerabilities directly impact production environments.

• Anything on Github that is not part of the “xealenergy” organization.

The following vulnerability types are not considered in-scope unless our implementation has resulted in data leakage or account takeover:

• Configuration and best practices such as SPF/DMARC, CORS, security headers, or insecure SSL/TLS ciphers.

• Denial of Service.

• Information disclosure such as file path, unless it can lead to sensitive info.

• Clickjacking.

• Email and account policies such as reset method and password complexity.

• Theoretical XSS or self-XSS attacks without evidence of exploitability, such as input being reflected in response.

Rules of Engagement and Legal Matters

Xeal will not engage in legal action against individuals or entities that submit vulnerability reports that cover in scope products and services (as defined above), through the approved channels (defined below).

Furthermore, Xeal agrees not to pursue legal action against individuals or entities that adhere to the following rules of engagement when identifying and submitting vulnerabilities:

• Testing and/or research should be non-disruptive (e.g. no denial of service), and should not harm Xeal’s operations or customers. If you’re not sure if a particular test will cause disruption, err on the side of caution and do not perform it without consulting Xeal’s security team first.

• Testing and/or research should be on in scope systems only. If you’re not sure whether a system is in scope, please ask.

• Testing and/or research should not deliberately seek to access information belonging to Xeal customers. Instead, a researcher should leverage their own accounts within the Xeal environment.

• Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.

• Security researchers are responsible for ensuring they adhere to local laws and legislation at all times. 

• All security researchers wishing to be considered for compensation when submitting a vulnerability should ensure that their research, or testing, is conducted in accordance with the above rules of engagement.

How to Report a Vulnerability to Xeal

Vulnerability reports should be submitted to the Xeal security team via email to security@xealenergy.com.

Xeal follows the security.txt ( https://securitytxt.org/ ) standard for relaying the most up to date information regarding our responsible disclosure program and preferred methods of communication. 

Please review our security.txt file at the following URL to ensure you have the latest information before making a vulnerability submission: https://www.xealenergy.com/.well-known/security.txt.

The security.txt file contains a link to the Xeal Security team’s public PGP key, which can optionally be used to encrypt incoming reports. This may be advisable if the report submission includes sensitive data.

Preference, Prioritization and Acceptance Criteria

In order to obtain the most value from this program, for both Xeal and the participating security researcher, we strongly advise that, and will give priority to disclosures which include:

• Reports that are well written, and submitted in English where possible.

• Reports that include proof of concept code that permit Xeal to better triage the issue.

• Reports that include details of how the vulnerability was identified, a suggested impact rating, and any potential remediations you might suggest.

• Reports that are more than just output from automated testing tools, and scans.

• Reports that include any intentions or timelines for public disclosure.

If you follow these guidelines, you can expect the following from Xeal:

• A timely response to your initial disclosure.

• Open dialog which includes planned remediation timelines where a remediation is necessary.

• Notification when final remediation has occurred.

• Compensation where applicable (see below).

Compensation

Xeal compensates security researchers based on the following factors:

• The severity of the issue identified (we leverage a formula linked to the CVSS).

• The quality of the reporting.

• Xeal’s internal risk assessment of the issue.

• Whether or not the issue has already been disclosed to Xeal prior to your submission (we only pay out once per issue).

• Any applicable legislation that may impact our ability to award compensation, for example, international sanctions against individuals or countries.

Xeal will work with the researcher to facilitate payment. Payment amounts are entirely at Xeal’s discretion — which is something you agree to when submitting bugs as part of this program.