‍Purpose

Aquanow is committed to ensuring the safety and security of our clients and employees. We aim to foster an environment of trust and maintain an open partnership with the security community. We recognize the importance of vulnerability disclosures and whistleblowers in helping us maintain safety and security for all our clients and employees.

This policy reflects our internal values and upholds our legal responsibilities to good-faith security researchers who provide their expertise, as well as whistleblowers who add an extra layer of security to our infrastructure. The purpose of this policy is to allow for the reporting and disclosure of vulnerabilities discovered by external parties, and to enable anonymous reporting of information security policy violations by internal entities.

Scope

This policy applies to the entire Aquanow corporate structure, including all subsidiaries.

All systems, technology assets, and data that process, receive, store, or transmit data must follow the requirements and guidance described in this policy. This applies to both internal users of Aquanow and external parties.

Vulnerability Report and Disclosure

How to Submit a Vulnerability

To submit a vulnerability report to the Aquanow Security Team, please use the following email: bugbounty@aquanow.com.

Preference, Prioritization, and Acceptance Criteria

We use the following criteria to prioritize and triage submissions.

How to Report Effectively

• Well-written reports in English will have a higher probability of resolution.
• Reports that include proof-of-concept code equip us to better triage.
• Reports that include only crash dumps or other automated tool output may receive lower priority.
• Reports that include products not on the initial scope list may receive lower priority.
• Include how the bug was found, the impact, and any potential remediation.
• Include any plans or intentions for public disclosure.

What to Expect from Aquanow

• A timely response to your email within 2 business days.
• After triage, Aquanow Security will send an expected timeline and commit to being as transparent as possible about the remediation timeline, as well as any issues or challenges that may extend it.
• An open dialog to discuss issues.
• Notification when the vulnerability analysis has completed each stage of our review.
• Credit after the vulnerability has been validated and fixed.
• If Aquanow is unable to resolve communication issues or other problems, we may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Legal Posture

Aquanow will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting mailboxes or internal channels. We accept reports for currently listed Aquanow products. We agree not to pursue legal action against individuals who:

• Engage in testing of systems/research without harming Aquanow or its clients.
• Engage in vulnerability testing within the scope of our vulnerability disclosure program.
• Test on products without affecting customers or receive permission/consent from customers before engaging in vulnerability testing against their devices/software.
• Adhere to the laws of their location and the location of Aquanow. For example, violating laws that would only result in a claim by Aquanow and not a criminal claim may be acceptable, as Aquanow is authorizing the activity, e.g., reverse engineering or circumventing protective measures, to improve its system.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
• Aquanow may be required to collaborate with, and provide information to, regulators and law enforcement agencies where necessary to investigate or report suspected unlawful activity.

Revision: January 2026
Classification: Public