Reporting policy

Enphase vulnerability management and reporting policy

Enphase is committed to maintaining a secure fleet of energy systems and supporting cloud architecture. This Policy is one of the pillars of our security program, because we believe that engaging with the security industry yields faster and better identification and remediation of security issues. Through this policy we seek to encourage responsible investigation and reporting of security issues to Enphase directly. Enphase has partnered with HackerOne to intake all vulnerability disclosures through the HackerOne portal. Please report all security issues using the steps identified by HackerOne. We expect that your report will be acknowledged within five business days, and will provide you updates until the issue is resolved.

Scope of policy

This Policy applies to all identified security issues – known or potential – in any Enphase device or system. This includes IoT devices, applications, online environments, enterprise systems, and websites.

Our expectations of you

We are making commitments for the global good, and ask that you do the same. We ask you to read and follow these guidelines:

  • Act promptly. Notify us as soon as possible after discovering a real or potential security issue.

  • Give us time to address issues. Avoid disclosing issues to others until we have had adequate time to address the issue.

  • Respect confidentiality and privacy. Do not retain or disclose confidential information to others at any time; this includes Enphase or others’ confidential information, and personal information.

  • Not harm others. Avoid taking any action that affects user experience, systems, or the confidentiality, integrity, or availability of data in any way. This includes excessive attempts that impact server availability, viewing or extracting information in a way that subjects it to a further security issues outside of our environment, seeking to modify or delete any system or information, testing systems or environments which you do not have authorization to access, altering public-facing material such as the Enphase app or websites, attempting network denial-of-service attacks, or any non-technical testing that depends on the actions of people (social engineering, facility access, drop attacks, phishing, extortion or bribery, etc.).

  • Provide complete information. Provide us as much relevant information as possible.

  • Be honest. Provide only accurate information; you should not under any circumstances provide false or misleading information, such as incorrect technical information, misrepresentation of your identity, or the issues you have discovered, or other dishonest information.

Our commitment to the community

Where you act consistent with this policy, Enphase will attempt to:

  • Respond promptly. We commit to respond to your initial report within one week.

  • Collaborate as necessary. We will work with you to understand the issue, if not apparent from your initial report.

  • Remediate promptly. We commit to prioritize and remediate vulnerabilities according to their severity.

Legal Restrictions

We comply with all laws, rules, and regulations, and expect you to do the same. Nothing in this policy should be interpreted to require us, or you, to act in any way inconsistent with legal requirements. This policy does not create any private obligations and does not form a contract between Enphase and any other party. Enphase maintains discretion to compensate for disclosures, but in no event will we compensate individuals on a government sanctions list, or to individuals in a country on such a list.

Additional information is available in our commitment to cybersecurity.