Koolmesh Vulnerability Disclosure Policy

 

1. Purpose

Koolmesh is committed to maintaining the security, reliability and resilience of its connected lighting ecosystem and related services.
This Vulnerability Disclosure Policy (VDP) establishes a coordinated process for security researchers, customers, partners and other parties to responsibly report potential cybersecurity vulnerabilities affecting the Koolmesh ecosystem.
For the purpose of this policy, the “Koolmesh ecosystem” includes Koolmesh mobile applications, cloud services, APIs, Bluetooth Mesh technologies and connected lighting products integrating Koolmesh technologies.
This policy supports responsible vulnerability handling, coordinated disclosure and continuous security improvement aligned with applicable cybersecurity regulations and industry best practices.
 
 

2. Scope

In-Scope Services

This policy applies to the following systems and services:
  • Internet-facing services in *.koolmesh.com subdomains, except domains noted below in “Out-of-scope services”.
  • We consider the following subdomains to be the most relevant for security research:
  • iot.koolmesh.com (Official web portal for lighting control & user management)
  • openapi.koolmesh.com (Web-side official API endpoints)
  • api.koolmesh.com (Mobile application dedicated API service)
  • Mobile applications provided by Koolmesh
  • Proprietary Bluetooth Mesh lighting control networks using Koolmesh technology
  • Connected lighting products integrating Koolmesh Bluetooth Mesh technologies, including gateways, control panels, sensors, drivers and related embedded firmware devices.

Out-of-Scope Services

The following services are explicitly excluded from the scope of security research and unauthorized testing:
Any service not expressly listed above is excluded from this policy’s scope. Vulnerabilities discovered on third-party vendor systems shall be reported directly to the corresponding vendor.
If you believe any unlisted system should be included in the scope, please contact us for evaluation; we will update this policy accordingly.
 
 

3. Security Contact Channel

Official dedicated security reporting email: Security@koolmesh.com
This security email shall be publicly displayed in the following positions:
  • Corporate official website
  • Product user manual and installation guide
  • EU distributor and sales supporting documents
  • CRA compliance technical documents

4. How to Submit a Vulnerability Report

Reporters are encouraged to provide complete and clear information to accelerate validation and remediation:
  • Detailed description of the vulnerability
  • Affected product family, model and firmware version
  • Step-by-step reproduction method
  • Proof-of-concept, screenshots or technical logs (if available)
  • Contact information for follow-up communication
Reports are preferred in English. We accept responsible security research reports from individuals, research teams and organizations.
 
 

5. Acceptance & Acknowledgement

We will send an official acknowledgement reply within 1 working day after receiving a valid vulnerability report. Our internal CRA working group, together with embedded R&D, gateway, APP, cloud and quality teams, will start validation and impact assessment immediately.
 
 

6. Prohibited Activities

To protect network stability, user privacy and business operation, any testing or research that falls into the following categories is not permitted:
  • Large-scale network scanning, brute-force attack, DoS / DDoS testing
  • Unauthorized access to internal company systems, staff accounts or customer cloud environments
  • Physical damage, disassembly beyond normal installation scenarios
  • Social engineering, phishing or privacy data collection without authorization
  • Exploiting vulnerabilities for commercial gain or malicious purposes

 

7. Vulnerability Assessment & Remediation Process

After confirmation:
  • We classify the vulnerability severity and evaluate affected product lines, firmware versions and exploitation risks
  • Relevant R&D teams develop firmware patches, OTA updates, security configuration hardening or temporary mitigation measures
  • We maintain continuous communication with the reporter throughout the remediation lifecycle
  • Once the fix is ready, we arrange coordinated disclosure and close the case formally

 

8. CRA Regulatory Reporting Obligations

For actively exploited vulnerabilities or severe cybersecurity incidents impacting the security of products with digital elements, Koolmesh shall perform regulatory notification activities in accordance with applicable CRA requirements.

RequirementTimeline
Early warning notificationWithin 24 hours after becoming aware of the actively exploited vulnerability or severe incident
Formal vulnerability / incident notificationWithin 72 hours after becoming aware of the actively exploited vulnerability or severe incident
Final report for actively exploited vulnerabilitiesNo later than 14 days after the corrective or mitigating measure is available
Final report for severe incidents impacting product securityWithin one month after the 72-hour incident notification

Where the reportable event concerns an actively exploited vulnerability, Koolmesh shall submit the final report no later than 14 days after the corrective or mitigating measure is available. Where the reportable event concerns a severe incident impacting the security of the product, Koolmesh shall submit the final report within one month after the 72-hour incident notification.

Regulatory notifications may include national CSIRTs, ENISA, competent authorities or other applicable supervisory bodies through the CRA single reporting platform, as required under CRA obligations.

Where required by applicable CRA obligations, affected customers, users, distributors or relevant authorities shall be notified without undue delay regarding the incident, potential impact and available mitigation or corrective measures.

All regulatory communication, notification records, internal assessment records and reporting evidence shall be retained as part of the official PSIRT incident archive and CRA compliance evidence.

 

9. Severity Classification

  • Critical: Remote unauthorised access, Bluetooth Mesh network hijacking, gateway privilege escalation, mass device compromise, vulnerabilities actively exploited in the wild.
  • High: Default password remaining enabled, hardcoded credentials, debug interface exposed in production, unauthenticated OTA upgrade risk, sensitive key leakage.
  • Medium / Low: Limited local impact, no remote intrusion, no large-scale system security risk.

 

10. Coordinated Vulnerability Disclosure

Reporters agree not to publicly disclose vulnerability details before we complete remediation and provide formal permission.
We will reasonably inform the reporter of progress, delays and expected fix timeline. Any public disclosure shall be agreed by both parties.

 

11. Safe Harbor (Legal Protection)

We adopt a Safe Harbor principle:
Any security research and vulnerability reporting conducted in good faith, in accordance with this policy and without intentional damage or privacy infringement, will not result in legal action or claim from the company.

 

12. Out of Scope

The following items are not within the scope of this vulnerability disclosure process:
  • Known public vulnerabilities with existing official fixes
  • Issues caused by improper installation, unauthorized modification or misuse of products
  • Third-party platforms, networks and services outside our control
  • Physical safety issues without digital cybersecurity impact

 

13. Supply Chain Coordination

If a vulnerability affects thirdparty components, SDKs, protocol stacks or partner systems, we may share necessary technical details anonymously with relevant suppliers to accelerate joint remediation, without disclosing the reporter’s personal information.

 

14. Policy Maintenance

This Vulnerability Disclosure Policy will be reviewed and updated periodically to align with CRA official regulations, industry best practices and ongoing product portfolio updates.