Vulnerability Disclosure Policy

KUMA Limited – Vulnerability Disclosure Policy
Effective Date: 01/05/2022

At KUMA Limited, we take product security seriously and are committed to protecting our customers and their data. We recognise the important role that security researchers and the wider community play in helping us to identify and mitigate potential vulnerabilities.

This policy outlines how to report security vulnerabilities in any KUMA product or service in a responsible manner.

1. Scope

This policy applies to:

  • All physical KUMA hardware products, including our 4G and 5G routers

  • Firmware and software developed or distributed by KUMA

  • KUMA’s websites and web services

2. Reporting a Vulnerability

If you believe you have discovered a security vulnerability in a KUMA product or service, please report it to us by email:

security@kuma-products.com (monitored weekdays 9am–5pm GMT)

Please include:

  • A detailed description of the vulnerability

  • Affected product(s) and version(s)

  • Reproduction steps (proof-of-concept, if available)

  • Your contact details so we can follow up (optional)

3. Our Commitments

Upon receiving your report, we will:

  • Acknowledge receipt within 5 working days

  • Assess the reported issue and determine its validity

  • Aim to provide a progress update within 30 calendar days

  • Work to resolve valid vulnerabilities as quickly as possible

  • Credit the reporter publicly (with consent) if a fix is issued

4. Responsible Disclosure Guidelines

We request that you:

  • Avoid exploiting the vulnerability (e.g. accessing, modifying or deleting data)

  • Do not publicly disclose the issue before we’ve had reasonable time to resolve it

  • Comply with all applicable laws

5. Out of Scope

The following are not covered under this policy:

  • Physical attacks requiring direct access to devices

  • Social engineering, phishing, or denial-of-service attacks

  • Use of expired or unsupported firmware versions

  • Vulnerabilities in third-party services not maintained by KUMA

6. Legal Safe Harbour

We will not take legal action against individuals who:

  • Act in good faith

  • Follow this policy

  • Do not exploit the vulnerability for personal gain

Thank you for helping us keep KUMA products secure.