BROWAN Vulnerability Disclosure Policy


BROWAN outlines this concise Vulnerability Disclosure Policy (VDP) for potential vulnerabilities in our product line. Please review this brief policy before reporting any vulnerabilities. While we value and appreciate your efforts in enhancing our product security, please note that BROWAN does not currently provide financial compensation for disclosed vulnerabilities. We encourage collaboration with you to uphold the highest standards in IoT security.



If you make a good faith effort to comply with this policy during your security research, we will consider your research authorized. Legal action will not be recommended or pursued by BROWAN related to your research. If a third party initiates legal action against you for activities conducted following this policy, we will confirm this authorization.



  • Promptly inform us upon discovering any real or potential security issues.
  • Exert every effort to prevent privacy violations, user experience degradation, disruption to production systems, and data destruction or manipulation.
  • Utilize exploits only to confirm the presence of vulnerabilities, avoiding any attempt to compromise, exfiltrate data, establish persistent command line access, or pivot to other systems.
  • Allow us a reasonable timeframe to address and resolve the identified issues before making any public disclosures.
  • Abide by all applicable laws and regulations during the security testing process.
  • Upon confirming a vulnerability or encountering sensitive data, cease testing immediately, notify us without delay, and refrain from disclosing this information to any third party.

Reporting Process

If you believe you've found a security vulnerability, please send it to us by emailing
Please include the following details with your report:

  • The product and its version where you observed the vulnerability.
  • A brief description of the type of vulnerability and/or potential impact of the identified issue(s). 
  • Steps on how to reproduce the vulnerability or provide a harmless, non-destructive proof of concept.

What you can expect from us

Once your report is submitted, we'll confirm its receipt within 5 working days. Please grant us a reasonable and practical timeframe, ideally at least 4 weeks, to address your report before making any public announcements or sharing the information with others. Once the reported vulnerability is resolved, we'll notify you promptly and may invite you to confirm the effectiveness of the fix.



If you have any questions about this policy, feel free to reach out to us at 
We welcome your input and encourage you to contact us with any suggestions for enhancing this policy.

Last update: 01/2024, version 1.0