1. Introduction and Purpose

At PalmSens, the security of our products, software, and user data is a top priority. We are committed to identifying, mitigating, and resolving security vulnerabilities in a timely and transparent manner. This Vulnerability Handling Policy outlines our coordinated vulnerability disclosure process and details our commitment to maintaining the digital security of our products in accordance with the EU Cyber Resilience Act (CRA).

2. Scope

This policy applies to all digital products, software, and services provided by PalmSens, including the infrastructure of the palmsens.com website.

3. How to Report a Vulnerability

We welcome reports from security researchers, users, and the broader community. If you believe you have discovered a security vulnerability in a PalmSens product or on our website, please report it to us immediately.

Reporting Process:

1. Navigate to our official contact page: https://www.palmsens.com/contact
2. Fill in the contact form with your details.
3. In the message body, please provide as much relevant information as possible to help us reproduce and understand the issue. We recommend including:
   • A description of the vulnerability and its potential impact.
   • The specific product, software version, or URL affected.
   • Detailed steps to reproduce the vulnerability (proof-of-concept scripts or screenshots are highly appreciated).

Note: Please do not exploit the vulnerability further than necessary to prove its existence, and do not share the vulnerability publicly until we have had the opportunity to investigate and release a fix.

4. Our Vulnerability Handling Process

Once a vulnerability is reported via our contact form, the PalmSens security team will handle the disclosure according to the following process:

• Acknowledgment: We will acknowledge receipt of your vulnerability report within 2 business days.
• Investigation & Triage: Our team will verify the vulnerability, assess its severity, and determine the potential impact on our users.
• Remediation: If the vulnerability is validated, we will develop, test, and prepare a security update or patch. The timeline for the fix will depend on the severity and complexity of the vulnerability.
• Communication: We will keep the reporter updated on the progress of the investigation and the expected timeline for a resolution.
• Disclosure: Once the vulnerability has been securely patched and rolled out to our users, we may publish a security advisory detailing the issue, the fix, and providing credit to the reporter (if desired).

5. Security Updates and Support Duration

In strict compliance with the EU Cyber Resilience Act, PalmSens is committed to ensuring that our products remain secure throughout their lifecycle.

PalmSens guarantees that users will receive free security updates and vulnerability patches for at least 5 years from the date the product is placed on the market. We actively maintain our software to address newly discovered risks and ensure that our hardware and software ecosystems remain robust against emerging cyber threats.

6. User Responsibilities

To ensure the highest level of security, we strongly encourage all PalmSens users to:

• Promptly install software and firmware updates when they are made available.
• Register their products and subscribe to our mailing list to receive immediate notifications regarding critical security advisories.

7. Safe Harbor

PalmSens considers activities conducted consistent with this policy to constitute “safe” conduct. We will not initiate legal action or law enforcement investigation against individuals who report vulnerabilities in good faith and comply with the guidelines set forth in this policy.