Vulnerability Disclosure Policy
Compliance with the UK Product Security and Telecommunications Infrastructure (PSTI) Regulations 2023 and ETSI EN 303 645 Clause 5.2.
- Document ID
- VDP-001
- Version
- 1.0
- Document Owner
- Product Security / Cybersecurity Team
- Approved By
- Ultrahuman Management
1. Purpose
This Vulnerability Disclosure Policy (VDP) defines the process by which security researchers, customers, partners, and other external parties can responsibly report potential security vulnerabilities affecting products, software, mobile applications, cloud services, or associated systems provided by Ultrahuman.
This policy is established to support compliance with:
- UK Product Security and Telecommunications Infrastructure (PSTI) Regulations 2023
- ETSI EN 303 645 V2.1.1 Clause 5.2
- ISO/IEC 29147 (Vulnerability Disclosure)
2. Scope
This policy applies to:
- Consumer IoT devices manufactured or supplied by Ultrahuman
- Associated mobile applications
- Cloud platforms and backend services
- Web portals and APIs associated with the products
- Firmware and software components maintained by Ultrahuman
This policy covers vulnerabilities related to:
- Authentication bypass
- Unauthorized access
- Data exposure
- Privilege escalation
- Insecure communications
- Remote code execution
- Firmware or software vulnerabilities
- Cryptographic weaknesses
- Denial-of-service vulnerabilities
- Other cybersecurity weaknesses impacting confidentiality, integrity, or availability
3. Public reporting contact information
Security vulnerabilities may be reported to:
- Primary email: security@ultrahuman.com
- Alternative email: feedback@ultrahuman.com
- Website: https://www.ultrahuman.com/security
4. Information to include in reports
To assist investigation and remediation, reporters are encouraged to provide:
- Product name and model number
- Firmware/software version
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Proof-of-concept details (if available)
- Logs, screenshots, packet captures, or relevant technical evidence
- Reporter contact information
5. Acknowledgement and response timelines
Ultrahuman shall manage vulnerability reports according to the following timelines:
Where remediation requires additional time due to technical, supply chain, regulatory, or operational constraints, Ultrahuman will provide periodic status updates to the reporter.
6. Coordinated Vulnerability Disclosure (CVD)
Ultrahuman supports Coordinated Vulnerability Disclosure (CVD) practices and encourages responsible reporting.
Security researchers are requested to:
- Avoid privacy violations and service disruption
- Avoid destructive testing
- Not exploit vulnerabilities beyond what is necessary for validation
- Allow reasonable time for remediation before public disclosure
- Maintain confidentiality until coordinated disclosure is agreed
Ultrahuman commits to:
- Reviewing all legitimate reports
- Treating reporters respectfully and professionally
- Not pursuing legal action against good-faith security research activities
- Working collaboratively toward remediation
7. Vulnerability handling process
The vulnerability management process includes:
- Receipt and registration of the vulnerability report
- Validation and technical assessment
- Risk classification using internal or industry-recognized severity methods (e.g., CVSS)
- Root cause analysis
- Remediation development
- Verification and regression testing
- Security update or mitigation release
- Coordinated public disclosure where appropriate
- Closure and documentation retention
8. Security updates and remediation
Where applicable, Ultrahuman will provide remediation through:
- Firmware updates
- Software patches
- Configuration guidance
- Cloud-side mitigations
- Temporary workarounds
- Product advisories
Security updates shall be distributed using secure update mechanisms implemented within the product ecosystem.
9. Disclosure policy
Public disclosure of vulnerabilities may occur:
- After a fix or mitigation becomes available
- When sufficient remediation guidance exists
- In coordination with the reporting party
- When disclosure is necessary to protect customers
Security advisories may include:
- Affected products and versions
- Severity rating
- Description of impact
- Remediation instructions
- Mitigation guidance
- Acknowledgement of the reporter (where agreed)
10. Reporter recognition
Subject to mutual agreement, Ultrahuman may acknowledge responsible security researchers in:
- Security advisories
- Hall of fame pages
- Release notes
- Public acknowledgements
11. Data protection and confidentiality
Information shared during vulnerability reporting shall be handled confidentially and used solely for cybersecurity remediation and product security improvement purposes.
Personal data shall be processed in accordance with applicable data protection and privacy laws.
