Skip to content
JoulepointJoulepoint
  • Developers
Request a Briefing
SecurityEngineered in India

Responsible disclosure, acknowledged.

We take security seriously and welcome reports from independent researchers. This page lays out scope, SLAs, contacts, and the coordinated-disclosure process we follow.

Report a vulnerabilitysecurity.txt
Contact
security@
PGP key
Available
Ack
≤24 h
Patch SLA
30/90/180 d
Disclosure
Coordinated
Credit
Public
Network security infrastructure
JP
How to report

One inbox. A human reads every email.

Email security@joulepoint.com with a clear description, reproduction steps, and the affected system. PGP-encrypted reports welcome.

Email

Send to security@joulepoint.com. Use PGP for sensitive details — key fingerprint is published in our security.txt.

Required in the report
  • Description and impact
  • Reproduction steps
  • Affected system / endpoint / firmware version
  • Any proof-of-concept (please don't share publicly)

security.txt

We publish a machine-readable security policy at the standard location (RFC 9116).

GET https://joulepoint.com/.well-known/security.txt
Open security.txt
Service-level commitments

What you can expect from us.

Acknowledgement
Within 24 hours

Business days. A human responds.

Triage
Within 5 days

CVSS-aligned severity assigned with rationale.

Patch SLA
30 / 90 / 180 days

Critical / High / Medium severity respectively.

Public disclosure
After patch + 30 days

Coordinated. We credit you on the advisory.

Researcher principles

Test in good faith. We'll do the same.

Coordinated disclosure protects users and gives us the time to ship a real fix. Stick to these and we'll work with you, not against you.

  • Act in good faith, avoid privacy violations, and never destroy or modify data.
  • Do not access data beyond the minimum required to demonstrate the issue.
  • Give us reasonable time to investigate and remediate before any public disclosure.
  • Stay within the scope listed below. If you're unsure, ask before testing.
Scope

What's in scope. What isn't.

In scope

  • joulepoint.com and *.joulepoint.com
  • Joulepoint CSMS APIs (REST and WebSocket / OCPP transport)
  • Joulepoint hardware firmware (DC chargers, AC chargers, VCU/ECU/CCU, OBC, DC-DC, traction)
  • Joulepoint mobile apps (driver, operator, OEM)
  • Cryptographic implementations (TLS, OCPP Security Profile 3, OCMF, ISO 15118-20 PnC)

Out of scope

  • Third-party services we integrate with (Sanity, Vercel, AWS, etc.) — please report to those vendors directly
  • Social-engineering attacks against employees or customers
  • Physical attacks against our facilities
  • Denial-of-service tests against production systems
  • Findings from automated scanners with no demonstrated impact
Report

Found something? Let us know.

security@joulepoint.com — acknowledged within 24 hours. PGP key in security.txt.

security@joulepoint.com
Joulepoint

India's energy R&D company. We engineer power electronics, embedded firmware, charging infrastructure and intelligent energy platforms for the energy transition.

Registered

Joulepoint Private Limited · CIN U74999TG2020PTC146334

Headquarters

Hyderabad, Telangana, India

Company

  • About
  • Leadership & Team
  • R&D
  • OEM Partnership
  • Case Studies
  • Engineering Blog
  • Careers
  • Press & Media

Solutions

  • CPO Solutions
  • Energy Intelligence
  • OCPP CSMS
  • Fleet Management
  • Vehicle Manufacturers
  • OEM Remote Diagnostics

Hardware

  • EV Chargers
  • Onboard Chargers
  • Smart Meters
  • DC Controller
  • DC-DC Converters
  • Traction Inverter
  • VCU / ECU
  • OBD Diagnostics

Software

  • OCPP/OCPI CSMS
  • Fleet Management
  • Energy Intelligence
  • OEM Diagnostics
  • Developer Docs
Salessales@joulepoint.com
Partnershipspartners@joulepoint.com
OEM programmesoem@joulepoint.com
Careerscareers@joulepoint.com
© 2026 Joulepoint Private Limited. All rights reserved.
  • Privacy Policy
  • Terms & Conditions
  • Security
  • Legal