Loading...
Policy · VDP-001

Vulnerability Disclosure Policy

Compliance with the UK Product Security and Telecommunications Infrastructure (PSTI) Regulations 2023 and ETSI EN 303 645 Clause 5.2.


Document ID
VDP-001
Version
1.0
Document Owner
Product Security / Cybersecurity Team
Approved By
Ultrahuman Management

1. Purpose

This Vulnerability Disclosure Policy (VDP) defines the process by which security researchers, customers, partners, and other external parties can responsibly report potential security vulnerabilities affecting products, software, mobile applications, cloud services, or associated systems provided by Ultrahuman.

This policy is established to support compliance with:

  • UK Product Security and Telecommunications Infrastructure (PSTI) Regulations 2023
  • ETSI EN 303 645 V2.1.1 Clause 5.2
  • ISO/IEC 29147 (Vulnerability Disclosure)

2. Scope

This policy applies to:

  • Consumer IoT devices manufactured or supplied by Ultrahuman
  • Associated mobile applications
  • Cloud platforms and backend services
  • Web portals and APIs associated with the products
  • Firmware and software components maintained by Ultrahuman

This policy covers vulnerabilities related to:

  • Authentication bypass
  • Unauthorized access
  • Data exposure
  • Privilege escalation
  • Insecure communications
  • Remote code execution
  • Firmware or software vulnerabilities
  • Cryptographic weaknesses
  • Denial-of-service vulnerabilities
  • Other cybersecurity weaknesses impacting confidentiality, integrity, or availability

3. Public reporting contact information

Security vulnerabilities may be reported to:

4. Information to include in reports

To assist investigation and remediation, reporters are encouraged to provide:

  • Product name and model number
  • Firmware/software version
  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Proof-of-concept details (if available)
  • Logs, screenshots, packet captures, or relevant technical evidence
  • Reporter contact information

5. Acknowledgement and response timelines

Ultrahuman shall manage vulnerability reports according to the following timelines:

Activity
Target Timeline
Initial acknowledgement of vulnerability report
Within 5 business days
Initial triage and assessment
Within 10 business days
Status update to reporter
At least every 30 calendar days
Risk classification and remediation planning
As soon as reasonably practicable
Security advisory publication (if applicable)
After remediation availability or coordinated disclosure

Where remediation requires additional time due to technical, supply chain, regulatory, or operational constraints, Ultrahuman will provide periodic status updates to the reporter.

6. Coordinated Vulnerability Disclosure (CVD)

Ultrahuman supports Coordinated Vulnerability Disclosure (CVD) practices and encourages responsible reporting.

Security researchers are requested to:

  • Avoid privacy violations and service disruption
  • Avoid destructive testing
  • Not exploit vulnerabilities beyond what is necessary for validation
  • Allow reasonable time for remediation before public disclosure
  • Maintain confidentiality until coordinated disclosure is agreed

Ultrahuman commits to:

  • Reviewing all legitimate reports
  • Treating reporters respectfully and professionally
  • Not pursuing legal action against good-faith security research activities
  • Working collaboratively toward remediation

7. Vulnerability handling process

The vulnerability management process includes:

  • Receipt and registration of the vulnerability report
  • Validation and technical assessment
  • Risk classification using internal or industry-recognized severity methods (e.g., CVSS)
  • Root cause analysis
  • Remediation development
  • Verification and regression testing
  • Security update or mitigation release
  • Coordinated public disclosure where appropriate
  • Closure and documentation retention

8. Security updates and remediation

Where applicable, Ultrahuman will provide remediation through:

  • Firmware updates
  • Software patches
  • Configuration guidance
  • Cloud-side mitigations
  • Temporary workarounds
  • Product advisories

Security updates shall be distributed using secure update mechanisms implemented within the product ecosystem.

9. Disclosure policy

Public disclosure of vulnerabilities may occur:

  • After a fix or mitigation becomes available
  • When sufficient remediation guidance exists
  • In coordination with the reporting party
  • When disclosure is necessary to protect customers

Security advisories may include:

  • Affected products and versions
  • Severity rating
  • Description of impact
  • Remediation instructions
  • Mitigation guidance
  • Acknowledgement of the reporter (where agreed)

10. Reporter recognition

Subject to mutual agreement, Ultrahuman may acknowledge responsible security researchers in:

  • Security advisories
  • Hall of fame pages
  • Release notes
  • Public acknowledgements

11. Data protection and confidentiality

Information shared during vulnerability reporting shall be handled confidentially and used solely for cybersecurity remediation and product security improvement purposes.

Personal data shall be processed in accordance with applicable data protection and privacy laws.

Follow Us

https://twitter.com/ultrahumanhqhttps://www.linkedin.com/company/ultrahumanhq/https://www.instagram.com/ultrahumanhq/https://www.youtube.com/@UltrahumanOfficial

Download app

https://apps.apple.com/us/app/ultrahuman-meditation-sleep/id1491286709https://play.google.com/store/apps/details?id=com.ultrahuman.android

© 2020-2026 Ultrahuman Healthcare Pvt Ltd. All rights reserved. ISO27001, GDPR, and HIPAA compliant.