1. Purpose and Scope

MClimate develops LoRaWAN-based IoT devices sold in the European Union, including the Vicki TRV, Fan Coil Thermostat, HT/CO2/AQI Sensors, T-Valve, and related accessories. These products are subject to the EU Cyber Resilience Act (CRA).

This policy defines how MClimate receives, triages, remediates, and publicly discloses security vulnerabilities affecting its products and supporting infrastructure. It applies to:

— Device firmware (all current LoRaWAN product lines)
— Factory provisioning and key management systems
— The MClimate Enterprise cloud platform (firmware update delivery, device management)
— Third-party components and open-source dependencies embedded in MClimate products

2. How to Report a Vulnerability

MClimate welcomes reports from security researchers, customers, and the broader community. We are committed to working collaboratively and transparently with anyone who identifies a security issue in our products.

Security Contact

Email: security@mclimate.eu

Please use this address for all security vulnerability reports. For general product support, use lorawan-support@mclimate.eu instead.

What to Include

To help us triage your report quickly, please include as much of the following as possible:

— Affected product name and firmware version (if known)
— Description of the vulnerability and its potential impact
— Steps to reproduce, including any proof-of-concept code or hardware setup
— Whether you believe the vulnerability is being actively exploited
— Your preferred contact method for follow-up

You do not need a complete proof-of-concept to submit a report. Partial findings are welcome.

Encrypted Reporting

If your report contains sensitive details, you may request our PGP public key by emailing security@mclimate.eu before submitting the full report. We will provide a key and instructions within 2 business days.

3. Our Commitments to Reporters

When you submit a report to security@mclimate.eu, MClimate commits to:

— Acknowledging receipt of your report within 5 business days
— Treating your report confidentially and not sharing your identity without your consent
— Keeping you informed of progress at agreed intervals
— Notifying you before any public disclosure
— Not pursuing legal action against researchers who act in good faith under this policy
— Crediting you in public advisories, unless you prefer to remain anonymous

4. Response and Remediation Timeline

The following timelines apply from the date MClimate receives a complete and reproducible report:

Initial acknowledgement — 5 business days — Confirm receipt of report
Triage and validity assessment — 30 days — Confirm scope, severity, and remediation plan
Patch development and testing — 90 days — FUOTA-delivered firmware fix; serial update for legacy devices
Public disclosure — After fix deployed or day 90 — Coordinated with reporter; CVE assignment if applicable
Extension (by mutual agreement) — Up to +30 days — For complex vulnerabilities requiring hardware mitigations

MClimate delivers security patches via Firmware Update Over the Air (FUOTA) through the MClimate Enterprise platform. When a patch is available, customers who have connected their LoRaWAN network server to the Enterprise platform will be notified and can initiate the firmware update from the platform. Customers operating offline or without Enterprise integration should contact lorawan-support@mclimate.eu for an on-site update path.

5. Security Update Availability

MClimate commits to making security updates available for each product for a minimum of 5 years from the date it was first placed on the EU market, in accordance with Article 13(8) of the EU Cyber Resilience Act.

For the following products, the security update support period is:

Vicki TRV (MC-LW-V02-BI and variants) — first placed on EU market: 28 September 2020 — security updates available until: 28 September 2030 (10 years)
Fan Coil Thermostat, HT/CO2/AQI Sensors, T-Valve — minimum 5 years from first EU market date; specific end dates are published in the product technical documentation available on request

After the security update support period ends, MClimate will publicly disclose any newly discovered vulnerabilities at mclimate.eu/security without an obligation to produce a patch. Each case will be evaluated individually.

Security updates are delivered via Firmware Update Over the Air (FUOTA) through the MClimate Enterprise platform. See Section 4 for the delivery process and contact for offline update paths.

6. Severity Classification

MClimate uses the Common Vulnerability Scoring System (CVSS v3.1) to classify severity. The following response priorities apply:

Critical — CVSS 9.0–10.0 — Patch target: 30 days — Examples: remote code execution, key extraction
High — CVSS 7.0–8.9 — Patch target: 60 days — Examples: firmware downgrade, denial of service
Medium — CVSS 4.0–6.9 — Patch target: 90 days — Examples: information disclosure, debug interface exposure
Low — CVSS 0.1–3.9 — Patch target: next scheduled release — Examples: minor configuration hardening

7. Safe Harbour

MClimate will not pursue legal action against security researchers who:

— Act in good faith and follow this policy
— Do not access, modify, or exfiltrate user data beyond what is needed to demonstrate a vulnerability
— Do not perform denial-of-service attacks against production infrastructure or deployed devices
— Do not attempt physical attacks on devices owned by others without their consent
— Do not publicly disclose the vulnerability before MClimate has had a reasonable opportunity to remediate

This safe harbour applies to the researcher, not to any third party exploiting the vulnerability for malicious purposes.

8. Out of Scope

The following are out of scope for this policy and should not be tested:

— Customer-operated LoRaWAN network servers, gateways, or application servers not owned or operated by MClimate
— Physical attacks requiring sustained access to deployed devices in the field
— Social engineering attacks targeting MClimate staff or customers
— Denial-of-service attacks against the LoRaWAN RF layer
— Vulnerabilities in third-party services outside MClimate's control (e.g., public network servers, cloud providers)

9. Regulatory Reporting (EU Cyber Resilience Act)

In accordance with Article 14 of the EU Cyber Resilience Act, MClimate will:

— Notify ENISA (the EU Agency for Cybersecurity) of any actively exploited vulnerability in a MClimate product within 24 hours of becoming aware of it, using ENISA's designated reporting channel
— Provide a full incident report to ENISA within 72 hours of the initial notification
— Cooperate with national competent authorities as required

These regulatory obligations are separate from and run in parallel with our coordinated disclosure commitments to reporters.

10. Policy Contact and Updates

This policy is reviewed annually and whenever a significant change to MClimate's product architecture affects its vulnerability handling capabilities. The latest version is always available at https://mclimate.eu/security-policy.

Questions about this policy may be directed to security@mclimate.eu.

History