2. BDR Thermeas Global Vulnerability Policy

BDR Thermea’s Global Vulnerability Policy

In line with the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA)

 

This policy applies to all members of the BDR Thermea Group.  

 

Introduction

 

BDR Thermea takes your security seriously. We operate under this Global Vulnerability Policy (“Policy”) which reflects our commitment to maintaining the security, integrity, and functionality of our products and services, ensuring your confidence and our compliance with regulatory standards.


This Vulnerability Policy explains how we identify, respond to, and fix vulnerabilities in our products and services in line with our legal responsibilities under the PSTIA and other UK regulations like the UK GDPR.


Our goal is to keep our products safe, reliable, and trustworthy, so you can use them with confidence.
This policy applies to everyone who interacts with our systems, products, or services, including our team, contractors, and partners.

 


1. What We Mean by Vulnerabilities


Vulnerability: A weakness in software, hardware, or processes that could be exploited and affect security, performance, or data integrity.


Vulnerability Assessment: A formal review to find, evaluate, and prioritise vulnerabilities based on how serious they are and what impact they could have.

 

2. Our Principles and Goals


We’re committed to treating you fairly and being transparent about how we manage vulnerabilities. 
Our main goals are:

  1. To protect you from risks caused by weaknesses in our systems or processes.
  2. To meet our legal obligations under the PSTIA.
  3. To build trust by keeping you informed about any issues that could affect the security or reliability of our products.
  4. How You Can Report a Vulnerability
     

3. How You Can Report a Vulnerability

 

We’ve made it easy for you to let us know if you spot something, please use our online form at https://www.bdrthermeagroup.com/security-issue-reporting-psti


When reporting, please include:

  1. A clear description of the issue
  2. Steps to reproduce it (if you know them)
  3. Any impact it has had or could have


We’ll acknowledge your report within 5 business days and keep you updated as we work on it.

 

4. How We Assess and Fix Vulnerabilities

 

Once we receive a report:

  1. We’ll assess the risk within 10 working days
  2. We’ll take immediate action based on how serious the issue is

 

5. Ongoing Monitoring

 

We use both manual checks and automated tools to keep an eye on our systems:

  1. We review our monitoring processes every quarter
  2. We keep a detailed log of vulnerabilities and how we’ve handled them
  3. We review our processes regularly to keep improving

 

6. Keeping You Informed


If a vulnerability affects the security, performance, or data integrity of our products, we’ll let you know promptly.
 

We’ll use:

  1. Alerts via our apps or web systems
  2. Clear summaries that explain what’s happening


Each notification will include:

  1. A summary of the issue and its impact
  2. What we’re doing to fix it
  3. What you can do to stay safe, if needed

 

7. Get in Touch
 

If you have questions or feedback regarding the above vulnerability reporting procedure: Email our technical helpline at technical.helpline@baxi.co.uk

 

8. Important Guidelines for Responsible Vulnerability Reporting


To help keep everyone safe and ensure responsible testing, please follow these important rules:


What you must not do:

  1. Do not share sensitive information, especially personal data, in any screenshots or attachments you send us.
  2. Never test vulnerabilities on devices or systems affecting customers without their permission/consent before engaging in vulnerability testing against their devices/software.
  3. Don’t exploit the vulnerability you’ve found. That means no downloading more data than necessary, and no deleting or modifying anything.
  4. After testing, make sure the device is still safe to use. Retest it and check with your service provider before putting it back into operation.
  5. Coordinate with us before going public. If you plan to disclose a vulnerability publicly, please let us know first so we can work together to minimise any risks to safety, privacy, or security.
  6. Keep your actions proportionate. You must avoid:
    • Using social engineering to gain access
    • Creating backdoors to demonstrate a vulnerability
    • Going beyond what’s needed to prove the issue exists
    • Copying, changing, or deleting data - consider using a directory listing instead
    • Making changes to the system
    • Repeatedly accessing the system or sharing access
    • Using high-intensity invasive or destructive scanning tools to find vulnerabilities
    • Using brute force attacks (e.g. guessing passwords repeatedly)

 

What you must do:

  • Respect data protection laws. Don’t share, redistribute, or mishandle any data you access.
  • Delete any data you’ve retrieved as soon as it’s no longer needed - or within one month of the vulnerability being resolved (whichever comes first), unless the law requires otherwise.


Adhere to applicable laws and regulations.

Helpful Links

Security Issue Reporting PSTI

Declaration of Conformity

GTW IoT (UK)

Declaration of Conformity

RU (UK)

Declaration of Conformity

CHVAC (UK)