Purpose

Dylash Pty Ltd T/As Crystal Aquatic Systems is committed to maintaining the security of our products, services, cloud platforms, mobile applications, and supporting infrastructure. We welcome reports from security researchers, customers, partners, and members of the public regarding potential security vulnerabilities.

This policy explains how to report a security issue and how we will work with you to investigate and resolve it.

Scope

This policy applies to security vulnerabilities affecting:

• Pool automation controllers and associated hardware
• Mobile applications
• Cloud services and web portals
• APIs and integrations operated by or on behalf of Dylash Pty Ltd T/As Crystal Aquatic Systems
• Firmware and software updates
• Any other software or services developed and maintained by Dylash Pty Ltd T/As Crystal Aquatic Systems.

Reporting a Security Vulnerability

Security vulnerabilities should be reported to:

Email: info@crystalas.com

When submitting a report, please include as much information as possible, including:

• Description of the vulnerability
• Affected product, software version, firmware version, or service
• Steps required to reproduce the issue
• Proof-of-concept code, screenshots, logs, or other supporting information where available
• Potential security impact.

Reports may be submitted in English.

Our Commitment

Upon receiving a vulnerability report, Dylash Pty Ltd T/As Crystal Aquatic Systems will:

Acknowledge Receipt

We will acknowledge receipt of a vulnerability report within 5 business days.

Initial Assessment

We will review the report and determine whether the issue is valid, reproducible, and within scope.

Status Updates

We will provide periodic status updates during the investigation and remediation process.

Where possible, updates will be provided at least every 30 days until the matter is resolved or closed.

Resolution

Where a reported vulnerability is confirmed, Dylash Pty Ltd T/As Crystal Aquatic Systems will:

• Assess the severity and impact
• Develop and test an appropriate remediation
• Release a security update, configuration change, mitigation guidance, or other corrective action where appropriate
• Notify affected customers where required.

The time required to resolve an issue will depend on its complexity, severity, and operational impact.

Responsible Disclosure Guidelines

To protect customers and systems, we ask researchers to:

• Act in good faith
• Avoid actions that could harm customers, systems, data, or services
• Avoid accessing, modifying, deleting, or exfiltrating customer data
• Avoid disrupting services or product availability
• Avoid social engineering, phishing, physical attacks, or denial-of-service testing
• Provide Dylash Pty Ltd T/As Crystal Aquatic Systems a reasonable opportunity to investigate and remediate issues before public disclosure.

Safe Harbour

Dylash Pty Ltd T/As Crystal Aquatic Systems will not pursue legal action against researchers who:

• Act in good faith
• Comply with this policy
• Avoid privacy violations, data destruction, service disruption, or unlawful activity
• Promptly report discovered vulnerabilities.

Any activities that exceed these guidelines may be referred for further review.

Coordinated Disclosure

Dylash Pty Ltd T/As Crystal Aquatic Systems supports coordinated vulnerability disclosure.

We request that public disclosure of a vulnerability be delayed until:

• A fix has been released, or
• Appropriate mitigation guidance has been provided, or
• Dylash Pty Ltd T/As Crystal Aquatic Systems and the reporter agree on a reasonable disclosure timeline.

Out of Scope

The following are generally not considered security vulnerabilities under this policy:

• Spam or social engineering campaigns
• Physical attacks requiring device theft or physical tampering
• Missing best-practice controls without a demonstrable security impact
• Reports based solely on outdated software versions where updates are available
• Denial-of-service testing
• Automated scanning reports without evidence of a genuine vulnerability
• Issues in third-party products not developed or maintained by Dylash Pty Ltd T/As Crystal Aquatic Systems.

Privacy

Personal information submitted through the vulnerability reporting process will be handled in accordance with our Privacy Policy and applicable privacy laws.

Policy Updates

This policy may be updated from time to time. The latest version will be published on the Dylash Pty Ltd T/As Crystal Aquatic Systems website.