Coordinated Vulnerability Disclosure Policy
How Blueberry receives, triages, fixes, and discloses security vulnerabilities in our products.
Coordinated Vulnerability Disclosure Policy
Owner: Blueberry Software AD PSIRT Version: 1.0 draft (2026-05-14)
This policy describes how to report a security vulnerability in any Blueberry-operated product, what to expect from us, and our commitments to researchers and customers.
1. Scope
In scope:
- All Volts AIoT Suite cloud services (
volts.iot,volts.live,vpn.iot.volts.live) - All Volts Gateway hardware and firmware (HLK-7688A v1, HLK-7621A v2)
- Volts mobile apps (
com.blueberry.iot— iOS and Android) - Blueberry Software AD corporate infrastructure that handles product or customer data
Out of scope:
- Customer-controlled networks the gateway is deployed on
- Third-party services we link to but do not operate
- Issues that require physical access to a device the attacker does not own (unless a meaningful escalation path exists)
- Social engineering of Blueberry staff
- Denial-of-service attacks against production services
2. How to report
Send your report to security@blueberry.bg. Encrypt with our PGP key when the report contains exploit details or sensitive material.
Include:
- A description of the vulnerability and where it lives
- Steps to reproduce, including the firmware version or service URL
- Impact assessment (what an attacker could do)
- Your name or handle for credit (optional — anonymous reports welcome)
- Whether you intend to publish your own write-up and on what timeline
We respond best to reports that include a working proof-of-concept and that let us confirm the issue without guesswork.
3. What you can expect from us
| Stage | SLA |
|---|---|
| Initial acknowledgement | within 2 business days |
| Severity classification (CVSS 4.0) | within 5 business days |
| Status update cadence | weekly until resolved |
| Coordinated disclosure window | 90 days from acknowledgement (extendable by mutual agreement) |
For actively-exploited vulnerabilities affecting product safety or customer data, we will pull-forward both disclosure and patch shipping.
4. Safe harbour
We will not pursue legal action against researchers who, in good faith:
- Comply with this policy
- Avoid privacy violations, destruction of data, or interruption of services
- Avoid testing against production systems that handle other customers’ data
- Give us a reasonable opportunity to fix before public disclosure
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
We will not pursue legal action even if you accidentally violate this policy, provided you stop, notify us, and cooperate.
5. Support period
We commit to providing security updates for at least 7 years after the last time a product is placed on the EU market. This exceeds the EU Cyber Resilience Act Article 13(8) minimum of 5 years.
6. Credit and acknowledgement
If you wish to be credited, we will list you in our Hall of Fame once the advisory is published. You may request anonymity or a handle instead of your real name.
We do not currently run a bug-bounty payment program. We may introduce one in 2027.
7. Regulatory context
This policy is required by:
- EU Cyber Resilience Act (Regulation (EU) 2024/2847), Annex I Part II clause (5) and Article 13(8)
- EN 18031-1 SUM-1/SUM-2 (vulnerability handling), implemented via this policy
- ETSI EN 303 645 §5.2 (means to manage reports of vulnerabilities)
8. Contact
- Email: security@blueberry.bg
- PGP key: /security/pgp/ and /.well-known/security-pgp.asc
security.txt: /.well-known/security.txt- CSAF feed: /.well-known/csaf/provider-metadata.json