Vulnerability Disclosure Policy
Introduction
SPAN is dedicated to maintaining a secure and safe relationship with our customers. This commitment extends to all technology on SPAN websites, applications, products, and platforms. We recognize that security researchers play a vital role in the ecosystem, and we encourage the responsible reporting of vulnerabilities to help us protect our community.
Note: SPAN does not operate a bug bounty program and does not provide financial compensation.
Authorization
To encourage the responsible disclosure of security vulnerabilities, SPAN will not take legal action against you under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or similar laws and consider security research activities to be “authorized” only on the condition that you strictly adhere to the following Guidelines.
Rules of Engagement
Your authorization to conduct research and submit a Vulnerability Report is contingent upon the following:
- Terms of Service: You must not intentionally or indirectly violate SPAN’s Terms of Service.
- Safety First: You must not compromise the safety of any SPAN product or expose any person to unsafe conditions.
- No Monetary Gain: You must not attempt to sell vulnerability information to third parties or hold the information for ransom.
- Data Integrity: You must not modify, access, or delete any data or accounts that do not belong to you.
- Confidentiality: You must not disclose vulnerability details to third parties until SPAN has remediated the issue.
- Post-Exploitation: You must not conduct post-exploitation activities, including persistent access, privacy violations, or causing interruptions to SPAN services.
- Restricted Attacks: Brute-force attacks and Denial-of-Service (DoS/DDoS) attacks are strictly prohibited.
- The Emergency Brake: Once you’ve established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test immediately. Notify us right away and do not disclose this data to anyone else.
- Sanctions Compliance: You must not be a resident of, or make your submission from, a country against which the United States has issued export sanctions (e.g., Cuba, Iran, North Korea, Syria). You must not be designated on the U.S. Treasury’s Specially Designated Nationals (SDN) List.
Submission Standards
To ensure our team can focus on high-impact findings, all reports must meet these quality standards:
- Demonstrable Exploitability: We only accept vulnerabilities that are exploitable under reasonable, real-world assumptions. Theoretical weaknesses, "paper" vulnerabilities, or findings that require highly improbable conditions to execute are not entertained.
- Functional Proof of Concept (PoC): You must provide a functional PoC and clear documentation demonstrating the exploit. Reports without a reproducible path to exploitation will be closed without review.
- No Automated Scans: Reports consisting primarily of raw output from automated scanners (e.g., Burp Suite, Nessus) or AI-generated hypotheses without manual validation and proof of impact will be closed.
- Practical Impact: Clearly explain the actual risk to SPAN products, customers, or infrastructure. Submissions that only highlight deviations from "best practices" without a practical exploit path are considered out of scope.
- Language: All submissions and documentation must be in English.
How to Report
Please submit all reports to: vulnerability@span.io
By submitting a Vulnerability Report, you grant SPAN a perpetual, irrevocable, worldwide, royalty-free license to use, share, and modify the information provided for any purpose. We aim to acknowledge receipt within 5 business days.
Scope
In-Scope
- SPAN Home App (iOS and Android)
- SPAN Panel and SPAN Drive (firmware and hardware)
- *.span.io
- SPAN Installer App (iOS and Android)
- SPAN Fleet
- Eaton Smart Panel with SPAN Energy Intelligence
- SPAN API
- SPAN Home On-premise
- *.xfra.ai
Out-of-Scope
- Third-party hardware (Inverters, Batteries) not manufactured by SPAN.
- Social engineering or phishing of SPAN employees.
- Physical security of SPAN facilities.
Our Commitment
Because SPAN products manage high-voltage electrical systems, our remediation process requires extensive safety testing. We ask for a reasonable amount of time to address vulnerabilities, and we will maintain an open dialogue with you throughout the process.
.avif)






.png)
.png)
