Vulnerability Disclosure Policy

Last updated: 14 January 2026

NIBE Group is committed to safeguarding and protecting its customers, information assets, and any other information entrusted to the company.

This commitment includes taking information security and cybersecurity risks seriously and recognizing the importance of confidentiality, integrity, availability, and privacy.

NIBE Group addresses reported security issues through a coordinated and responsible disclosure process intended to reduce risk and protect NIBE, its customers, consumers, employees, and other stakeholders.

When notified of a security issue in accordance with this policy, NIBE Group will make reasonable efforts to acknowledge the report, assess the issue, and, where appropriate, remediate verified security issues within a reasonable timeframe.

Scope

This policy describes how NIBE Group receives, assesses, and handles externally reported security vulnerabilities and security-related incidents.

This policy applies to:

• Products developed, produced, sold, or managed by NIBE Group entities
• Customer-facing digital services provided by NIBE Group
• IT systems operated by NIBE Group

Security issues affecting systems or services operated by third-party suppliers are handled in accordance with the applicable supplier procedures, unless explicitly stated otherwise by the NIBE Group.

Out of Scope

The following security issues are considered out of scope and may be rejected without further action:

• Unrealistic or impractical scenarios. Issues that rely on unlikely user behavior, obsolete or unsupported platforms, abnormal operating conditions, attacker-controlled privileged access, physical access, or user misconfiguration. Social engineering scenarios are explicitly excluded.
• Theoretical issues without demonstrated impact. Findings that cannot be shown to have a material impact on security. This includes cosmetic issues, minor information disclosures, open redirects without meaningful exploitation, automated scanner output and third-party CVEs without demonstrated relevance to the NIBE Group systems or products.
• Best practice and hardening suggestions. General security advice, configuration recommendations, or hardening suggestions that do not represent exploitable security issues.
• Hazardous testing. Testing that may cause service disruption, degradation, or impact to users, including denial-of-service attempts, resource exhaustion, abusive traffic, phishing, impersonation, or similar activities. Such activities are strictly prohibited.
• Unsupported or invalid targets. Reports affecting systems, services, or products outside the defined scope.
• Low-quality or unverifiable submissions. Reports that lack sufficient technical detail, reproducibility, or credible evidence. Automated or AI-assisted tools may be used only if the resulting report is accurate, verifiable, and independently reproducible.

Reporting Security Issues

A security issue may be either:

• A vulnerability in a product, service, or IT system, or
• A security incident affecting the confidentiality, integrity, or availability of systems or data.

Security issues shall be reported via the process described at https://vdp.nibegroup.com. Reports should be submitted as soon as reasonably practicable after discovery and, where feasible, no later than 24 hours after discovery.

Requirements for Reporters

Reporters must, at all times:

• Respect privacy. Immediately cease testing and notify NIBE Group if personal data or confidential information is accessed. Such data must not be retained, stored, or transmitted.
• Act in good faith. Report security issues without expectation of compensation, conditions, or demands.
• Work with us. Promptly disclose findings, cease further testing after identifying an initial security issue unless explicitly authorized, and allow NIBE Group a reasonable period to remediate the issue prior to public disclosure.

Reporters must not:

• Exfiltrate, modify, or delete data
• Exploit security issues beyond minimal proof-of-concept
• Bypass or disable security controls
• Conduct social engineering activities
• Use automated scanning or mass-testing tools without prior written authorization

A separate reporting process applies to personal data breaches. See NIBE Group's Privacy Policy for additional information.

Safe Harbor

Security research conducted in good faith and in compliance with this policy is considered authorized by NIBE Group. NIBE Group will not initiate legal action solely for activities that are undertaken in accordance with this policy and that are intended to identify, report, and responsibly disclose security issues.

This authorization applies only to activities that avoid intentional harm, service disruption, unauthorized data exposure, or violations of applicable law. Activities that fall outside the scope of this policy are not covered by this safe harbor.

Handling of Reported Issues

NIBE Group reviews and handles reported security issues in a responsible and coordinated manner.

• Reported issues are evaluated to determine scope, validity, severity, and potential impact.
• Where appropriate, NIBE Group will implement corrective actions, including remediation, mitigation, or compensating controls.
• NIBE Group aims to acknowledge valid reports within five business days and to maintain reasonable communication with the reporter.
• Information related to reported issues shall be treated as confidential until remediation or mitigation has been completed, unless otherwise agreed in writing.
• For verified vulnerabilities that fall within the scope of NIBE Group's CNA responsibilities, NIBE Group will issue a CVE record and publish a public security advisory where applicable. CNA scope details are published on the official CVE website.
• Security issues affecting IT systems are handled in accordance with applicable regulations, including NIS2. CVE records are not issued for internal IT systems.
• Recognition or discretionary rewards may be considered after an issue has been addressed, where applicable. NIBE Group does not operate a public bug bounty program.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services, and better protect our customers. Thank you for working with us through the above process.