Vulnerability Disclosure Policy (VDP)

1. Purpose

This Vulnerability Disclosure Policy outlines how individuals can report security vulnerabilities in Oz Smart Things smart device products and services, in compliance with the Security Standards for Smart Devices Rules 2025 under Australian law.

We are committed to maintaining the security and privacy of our customers and to collaborating with security researchers in a respectful, constructive, and lawful manner.

2. Scope

This policy applies to:

- All smart devices manufactured, distributed, or supported by Oz Smart Things PTY LTD

- Associated mobile apps and cloud platforms

- Backend services, APIs, and web-based interfaces used in device functionality

3. How to Report a Vulnerability

If you believe you've discovered a vulnerability, please report it to us as soon as possible via the following contact:

- Email: support@ozsmartthings.com.au

- PGP Public Key: [link or note 'available on request']

Please include the following:

- Product name and version

- Description of the vulnerability

- Steps to reproduce

- Any proof-of-concept code or screenshots

- Your contact information (optional for anonymous reporting)

4. What to Expect From Us

Upon receiving your report:

- You will receive an acknowledgment within 5 business days

- We will assess the report and provide a status update within 10 business days

- If confirmed, we will work to address the issue within a reasonable time frame (typically within 90 days) We will notify you when the issue has been resolved and may publicly credit you, with your consent.

Vulnerability Disclosure Policy (VDP)

5. Our Commitments

We commit to:

- Not pursue legal action against researchers who act in good faith and follow this policy

- Treat all reports confidentially and respectfully

- Work with you to understand the scope and impact of the issue

- Keep you informed through the remediation process

6. Out of Scope

The following are considered out of scope for this policy:

- Social engineering (e.g., phishing employees)

- Physical attacks on infrastructure

- Denial-of-service (DoS) attacks

- Issues found in systems not owned or controlled by Oz Smart Things PTY LTD

7. Legal Safe Harbour

This policy is designed to align with safe harbour protections under the Australian Security Standards for Smart Devices Rules 2025. Actions consistent with this policy will be considered authorised.

8. Version History

Version | Date | Change

V1|29/07/25|

1.0 | [29/07/25] | Initial version aligned with 2025 Rules