Sympower has launched a Responsible Disclosure Programme, inviting external independent security researchers to report vulnerabilities they find in the company’s internet-facing systems. The programme is a structured, good-faith channel for collaboration that strengthens the security of the platforms Sympower’s customers and partners rely on.

Strengthening Sympower’s systems to safeguard the energy grid

Sympower unlocks the flexibility of batteries, renewables and energy-intensive industries to balance the grid and maximise value for asset owners. Because the company operates within critical energy infrastructure, the security of its digital systems is inseparable from the reliability of the grid itself.

Sympower is already ISO 27001-certified, the gold standard for information security management, which provides a framework to safeguard sensitive data and ensure confidentiality, integrity, and availability. 

"Operating in power markets means our systems are part of critical infrastructure, so security must be a continuous commitment rather than a one-off audit," commented Simon Bushell, Sympower’s CEO and Founder. "By opening a clear, authorised channel for independent researchers to report what they find, we ensure that we are strengthening our platform and constantly improving the security of our customers’ and partners’ resources and data."

Independent security researchers play a valuable role in finding and reporting weaknesses before they can be exploited. Sympower’s Responsible Disclosure Programme gives those researchers an authorised route to report what they find, and a commitment from the company to investigate, validate, and address verified issues. The programme covers Sympower's internet-facing information systems, applications, and websites.

Researchers who test and report in good faith, in line with the policy, are covered by a safe harbour commitment: Sympower will not pursue legal action for accidental, good-faith violations made during authorised testing. While Sympower does not currently operate a paid bug bounty, we recognise contributions on a public Security Acknowledgements page, with the researcher's consent, and researchers who prefer to remain anonymous can do so. Sympower has committed to acknowledging every report within three business days and keeping researchers informed throughout the process.

Independent researchers wishing to participate in the programme can send their report to security@sympower.net.

The full Responsible Disclosure Policy is available here.

Background information about the programme (FAQ)

• Who can take part? Any independent security researcher who is not a current Sympower employee, intern, or contractor. Researchers should only test against accounts they own or have explicit authorisation to test.

• What is in scope? Technical vulnerabilities in Sympower's internet-facing information systems, applications, and websites, including the Sympower domain and related subdomains. Examples include misconfigurations, cross-site request forgery, privilege escalation, SQL injection, cross-site scripting, and directory traversal. Third-party systems, physical security, social engineering, and denial-of-service testing are out of scope.

• Is this a paid bug bounty? No. Sympower does not currently operate a paid bug bounty. The programme recognises contributions through public acknowledgement rather than financial reward.

• What do researchers receive in return? With the researcher's consent, Sympower recognises the contribution on a public Security Acknowledgements page. Recognition can include the researcher's name or alias, the date of disclosure, and the category of vulnerability reported. Researchers who prefer to stay anonymous can do so.

• Will Sympower take legal action against researchers? No. Independent research conducted in good faith and in line with the policy is authorised. Sympower will not initiate or support legal action for accidental, good-faith violations made during authorised testing.

• How do I report a vulnerability? Send a report to security@sympower.net. To help us act quickly, include a description of the issue and its potential impact, step-by-step instructions to reproduce it, the affected systems or endpoints, and your contact details for follow-up.

You can find the full scope, rules of engagement and reporting guidelines in our Responsible Disclosure Policy here.