ELTEK S.P.A. Vulnerability Disclosure Policy
Effective Date: 10/02/2026
At Eltek S.p.A., we are committed to providing secure IoT devices to our customers. Security is a top priority, and we value the input of the security research community. This policy outlines how we handle reports of potential vulnerabilities in our IoT products, the responsible disclosure process, and the steps we take to mitigate risks and protect our users.
In Eltek S.p.A. IoT products, a vulnerability is a logical weakness that can be exploited by a threat allowing an unauthorized external subject to violate the digital perimeter of the device and cause a damage or compromise security. In practice, it is a weakness that makes the product susceptible to attack and allows a malicious party to gain unauthorized access to the device, take control of it, access personal information or use the device for purposes other than those intended.

1. Scope of the Policy
This policy applies exclusively to IoT devices designed and manufactured by Eltek S.p.A.

2. Responsible Disclosure Process
We encourage the responsible disclosure of vulnerabilities to ensure that they are addressed quickly and safely.
We encourage all individuals to report any discovered vulnerabilities, regardless of the stage of the product lifecycle. We appreciate the concerns of those reporting and commit to addressing any vulnerability that is reasonably connected to our products. We strongly suggest reporters to follow a coordinated disclosure process, as releasing information prematurely could expose our customers systems to unnecessary risks.
Please follow the steps below to report any potential vulnerabilities.
Step 1: Report the Vulnerability
Please send your vulnerability reports to our security team filling the form available on our web-portal by clicking the button “report a cybersecurity vulnerability” at the bottom of this page.

To ensure that we can quickly assess and respond to the issue, please include the following information in your report:
• Description of the vulnerability: a clear and detailed description of the issue.
• Affected devices: the specific IoT device(s) affected.
• Steps to reproduce: a detailed, reproducible method for testing the vulnerability.
• Impact: an assessment of the risk and potential impact of the vulnerability (e.g., unauthorized access, data leakage, remote code execution).
• Additional information: any logs, screenshots, attachments or data that can assist with the investigation.
• Your contact details for follow-up.

Step 2: Acknowledgment of Receipt
We will acknowledge receipt of your report within 48 hours. Our security team may follow up with additional questions or requests for clarification.
Step 3: Investigation and Fix
Once the vulnerability is confirmed, our team will investigate the issue, prioritize it based on its impact and work on a fix. We will keep you informed of our progress and any actions being taken. We will test all fixes thoroughly to ensure they do not introduce new issues or regressions.
Step 4: Public Disclosure
Once the vulnerability has been resolved or mitigated, we will notify the sender of the vulnerability notice via email regarding the completion of the activity.
The message will include:
• A description of the vulnerability and its impact.
• The actions taken to solve the issue.
• Any security advisories or additional user guidance to ensure devices are secure.

3. What We Expect from Reporters
By submitting a vulnerability report to Eltek S.p.A., you agree to:
• Act in good faith: do not exploit or exacerbate the vulnerability you discover, do not attempt to access or steal sensitive data, disrupt services or harm users.
• Report responsibly: do not publicly disclose the vulnerability until we have had the chance to investigate and resolve the issue.
• Respect privacy: do not access any private or personally identifiable information.
• Cooperate: if requested, collaborate with our team in case additional information is needed to solve the issue.
• Legality: do not violate any criminal law, do not cause harm to Eltek S.p.A., our customers or others.

4. Out-of-Scope Vulnerabilities
While we appreciate the contribution of the security community, certain vulnerabilities are considered out of scope for this program. These include:
• Low-impact issues that do not present significant security risks, such as minor usability issues.
• Any other issues that cannot be classified as a vulnerability.

5. Legal Safe Harbor
We are committed to providing a legal safe harbor for researchers who follow this policy. If you report a vulnerability to us in good faith and follow the guidelines outlined here, we will not take legal action against you.
However, if you violate these guidelines (e.g., by accessing unauthorized systems or data), we may take appropriate legal action. Always ensure that your actions are in compliance with applicable laws and ethical standards.
This policy shall be governed by the laws of Italy.

6. Updates to the Policy
We may update this Vulnerability Disclosure Policy as needed to reflect changes in our processes, products or the security landscape. We will publish any updates on this page and encourage you to review it regularly.

Contact Information:
• Security Team Email: vulnerability@eltekgroup.it
• Vulnerability link:
Report a cybersecurity vulnerability

Thank you for helping us make our IoT devices and services more secure.