Vulnerability Disclosure Policy

Version 1.0

This Vulnerability Disclosure Policy establishes the principles and procedures by which Marstek receives, evaluates, manages, and remediates security vulnerabilities. The purpose of this policy is to enhance product security, protect user data, and maintain the integrity and reliability of Marstek products and services.

This policy applies to all:

Marstek hardware products

Marstek mobile and Web software

Cloud services, APIs, and firmware associated with Marstek

Any third-party components integrated into the above systems

It is applicable to users, developers, external security researchers, partners, and any individual or entity reporting a potential security vulnerability.

Marstek is committed to safeguarding user privacy and maintaining strong security standards. We encourage good-faith reports of potential security vulnerabilities and pledge to evaluate and remediate valid submissions promptly, transparently, and responsibly. We do not tolerate malicious activity, exploitation, or unauthorized access attempts. Reports must be submitted through the approved process outlined in this policy.

Individuals who believe they have identified a security vulnerability must submit their report through the Vulnerability Report Form available on the Marstek Vulnerability Management page. Reports should include, to the extent possible:

A clear description of the vulnerability

Steps to reproduce

Affected product models, versions, or firmware

Any supporting technical details, logs, or evidence

All information submitted will be handled confidentially.

Marstek follows an internal vulnerability management process aligned with ISO/IEC 30111 and evaluates all reported issues using CVSS v3.1 scoring standards. The process includes the following stages:

Severity Level

Expected Remediation Time

Critical

Within 3 business days

High / Medium

Within 30 business days

Low

Within 180 business days

Actual timelines may vary due to real-world complexity, product dependencies, or hardware constraints.

Marstek will acknowledge receipt of all valid reports and may provide follow-up communication where appropriate. Public disclosure of vulnerabilities may occur only after remediation is completed and must follow coordinated disclosure principles.

Reporters must avoid:

Exploiting or abusing the vulnerability

Accessing user data or systems beyond what is necessary for proof-of-concept

Publicly disclosing information before remediation is complete

Performing actions that degrade service availability or product performance

Good-faith research conducted within these boundaries will not be subject to legal action.

We thank all individuals and organizations who responsibly report security vulnerabilities. Your efforts directly contribute to improving the safety and reliability of Marstek products and protecting our global user community.