Koolmesh Vulnerability Disclosure Policy
1. Purpose
2. Scope
In-Scope Services
- Internet-facing services in *.koolmesh.com subdomains, except domains noted below in “Out-of-scope services”.
- We consider the following subdomains to be the most relevant for security research:
- iot.koolmesh.com (Official web portal for lighting control & user management)
- openapi.koolmesh.com (Web-side official API endpoints)
- api.koolmesh.com (Mobile application dedicated API service)
- Mobile applications provided by Koolmesh
- Proprietary Bluetooth Mesh lighting control networks using Koolmesh technology
- Connected lighting products integrating Koolmesh Bluetooth Mesh technologies, including gateways, control panels, sensors, drivers and related embedded firmware devices.
Out-of-Scope Services
- Main marketing site at www.koolmesh.com
- FAQ and help center at faq.koolmesh.com
- Support and documentation site at support.koolmesh.com
- Internal-only management system admin.koolmesh.com (not exposed to public internet, not open for external security testing)
- Development or test deployments with dev / test in domain names
3. Security Contact Channel
- Corporate official website
- Product user manual and installation guide
- EU distributor and sales supporting documents
- CRA compliance technical documents
4. How to Submit a Vulnerability Report
- Detailed description of the vulnerability
- Affected product family, model and firmware version
- Step-by-step reproduction method
- Proof-of-concept, screenshots or technical logs (if available)
- Contact information for follow-up communication
5. Acceptance & Acknowledgement
6. Prohibited Activities
- Large-scale network scanning, brute-force attack, DoS / DDoS testing
- Unauthorized access to internal company systems, staff accounts or customer cloud environments
- Physical damage, disassembly beyond normal installation scenarios
- Social engineering, phishing or privacy data collection without authorization
- Exploiting vulnerabilities for commercial gain or malicious purposes
7. Vulnerability Assessment & Remediation Process
- We classify the vulnerability severity and evaluate affected product lines, firmware versions and exploitation risks
- Relevant R&D teams develop firmware patches, OTA updates, security configuration hardening or temporary mitigation measures
- We maintain continuous communication with the reporter throughout the remediation lifecycle
- Once the fix is ready, we arrange coordinated disclosure and close the case formally
8. CRA Regulatory Reporting Obligations
For actively exploited vulnerabilities or severe cybersecurity incidents impacting the security of products with digital elements, Koolmesh shall perform regulatory notification activities in accordance with applicable CRA requirements.
| Requirement | Timeline |
|---|---|
| Early warning notification | Within 24 hours after becoming aware of the actively exploited vulnerability or severe incident |
| Formal vulnerability / incident notification | Within 72 hours after becoming aware of the actively exploited vulnerability or severe incident |
| Final report for actively exploited vulnerabilities | No later than 14 days after the corrective or mitigating measure is available |
| Final report for severe incidents impacting product security | Within one month after the 72-hour incident notification |
Where the reportable event concerns an actively exploited vulnerability, Koolmesh shall submit the final report no later than 14 days after the corrective or mitigating measure is available. Where the reportable event concerns a severe incident impacting the security of the product, Koolmesh shall submit the final report within one month after the 72-hour incident notification.
Regulatory notifications may include national CSIRTs, ENISA, competent authorities or other applicable supervisory bodies through the CRA single reporting platform, as required under CRA obligations.
Where required by applicable CRA obligations, affected customers, users, distributors or relevant authorities shall be notified without undue delay regarding the incident, potential impact and available mitigation or corrective measures.
All regulatory communication, notification records, internal assessment records and reporting evidence shall be retained as part of the official PSIRT incident archive and CRA compliance evidence.
9. Severity Classification
- Critical: Remote unauthorised access, Bluetooth Mesh network hijacking, gateway privilege escalation, mass device compromise, vulnerabilities actively exploited in the wild.
- High: Default password remaining enabled, hardcoded credentials, debug interface exposed in production, unauthenticated OTA upgrade risk, sensitive key leakage.
- Medium / Low: Limited local impact, no remote intrusion, no large-scale system security risk.
10. Coordinated Vulnerability Disclosure
11. Safe Harbor (Legal Protection)
12. Out of Scope
- Known public vulnerabilities with existing official fixes
- Issues caused by improper installation, unauthorized modification or misuse of products
- Third-party platforms, networks and services outside our control
- Physical safety issues without digital cybersecurity impact