![measurable-energy-logo-light-purple-help.svg]](https://support.measurable.energy/hubfs/Logos/measurable-energy-logo-light-purple-help.svg){kind=logo}
Vulnerability and Patch Management Policy
measurable.energy (m.e) is committed to resolving vulnerabilities to meet the needs of customers and the broader technology community. Vulnerabilities and errors may be reported in online locations that our marketing review/search for, through email and in-person reporting to m.e team members. We may discover vulnerabilities through automated tools, dedicated active searches for vulnerabilities, and internal and external pen tests. Our component suppliers actively search for vulnerabilities and share them with us. The product team reviews general vulnerabilities. This includes vulnerability mailing lists such as the weekly CNI Threat Insights distributed by the NCSC and Microsoft CVE alerts.
We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures. If you believe you have found a security vulnerability, please submit your report to us at security@measurable.energy. In your report, please include details of:
- The website, IP, page, device model or app version where the vulnerability can be observed.
- A brief description of the type of vulnerability, for example: “XSS vulnerability”. Steps to reproduce – these should be benign, non-destructive, proof of concept/exploitation – this helps to ensure that the report can be triaged quickly and accurately and reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
- What you believe the impact of the vulnerability could be?
- Your contact details so that we can keep you updated and work together on a CVD.
You can find out more about reporting a vulnerability to m.e here: Vulnerability Disclosure Policy
Once your vulnerability has been resolved, we welcome requests to disclose your report. We want to unify guidance to affected users, so please continue coordinating public releases with us. If applicable, m.e will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously as a Coordinated Vulnerability Disclosure (CVD). The CVD will be in line with the ISO/IEC 29147:2014 standard.
To protect our customers, m.e requests that you do not post or share any information about a potential vulnerability in any public setting until we have researched, responded to and addressed the reported vulnerability and informed customers if needed.
Whether a CVD is posted or not, m.e may inform the ICO, NCSC, insurance providers, customers, investors or other interested depending on the type of vulnerability and the likely impact
|
Services affected (select all that apply): |
Vulnerability affects (select all that apply): |
Impact: |
Likelihood to be exploited: |
Response needed: |
|
m.e Hub |
Confidentiality |
1 Minimal impact |
1 Exceedingly unlikely |
1 Somewhen |
|
m.e Hardware |
Integrity |
2 Minor or local loss of services/data |
2 Within the next 5 years |
2 Soon |
|
m.e Platform backend |
Availability |
3 Sustained loss of local services or important data |
3 Within the next year |
3 Shortly |
|
m.e Website |
4 Serious disruption for multiple users for a sustained period of time or loss of PII/GDPR-protected data |
4 Within the next 6 months |
4 Urgently |
|
|
m.e Supplier |
5 Serious disruption of ability to deliver service to all clients or significant loss or release of PII/GDPR-protected data |
5 very soon/already happened |
5 Immediately |
Figure 1: Vulnerability prioritisation matrix
Patch Management
Once a vulnerability has been reported, assessed, and prioritised, it will then be actioned by entering our patch management process. This process is split into two key areas:
- m.e Cloud-based platforms: our website and the m.e Hub
- m.e Products: Hardware and Software
The process followed remains the same for both areas. The time to do each step is dependent on the severity and prioritisation designated:
- Patch is classed as a major or minor release depending on vulnerability priority.
- Patch is developed and tested by the tech team.
- Patch is deployed to our testing environment and tested by wider internal stakeholders.
- Before deploying patch release notes are compiled and communicated.
- The Patch is deployed with the following designations:
- Level 5 is deployed to all affected parties immediately.
- Level 4 is deployed on the next scheduled update (minor or major).
- Level 3 is deployed on the next scheduled minor update.
- Level 2 is planned into an appropriate future minor update.
- Level 1 is planned into a future update if required.
- The patch functionality is supported by measurable.energy Customer Success and subject to our existing technical support.
If you believe you have found a security vulnerability in a measurable.energy product, service or website please submit your report to us.
|
Version |
4 |
|
Last reviewed |
January 2026 |