Vulnerability Disclosure Policy

    Last updated: March 2026

    The security of our users' data is our top priority. We welcome responsible security research and will work with you to resolve any issues quickly.

    Scope

    This policy applies to vulnerabilities found in:

    • Komori devices (firmware, on-device software)
    • Komori mobile app (iOS and Android)
    • Komori cloud services and APIs
    • komoricare.com and associated subdomains

    How to Report

    Email us at security@komoricare.com with the following information:

    • Description -- a clear explanation of the vulnerability and the affected component.
    • Steps to reproduce -- detailed steps so our team can verify the issue.
    • Impact assessment -- your understanding of the potential impact (data exposure, unauthorized access, etc.).
    • Your contact information -- so we can follow up with questions or updates.

    What We Ask of You

    • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
    • Do not access, modify, or delete other users' data during your research.
    • Do not disrupt our services or degrade the experience for other users.
    • Make a good-faith effort to avoid privacy violations and data destruction.

    Our Commitment to You

    • Acknowledgment -- we will acknowledge receipt of your report within 48 hours.
    • Status updates -- we will provide a status update within 7 business days.
    • Resolution timeline -- we will work to resolve critical issues within 30 days.
    • Communication -- we will keep you informed throughout the remediation process.

    Safe Harbor

    We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, following this policy. We consider security research conducted in accordance with this policy to be authorized, and we will not initiate legal claims against you for circumvention of technology controls.

    Recognition

    With your permission, we will credit you on our security acknowledgments page. We believe in recognizing the valuable contributions of security researchers who help keep our users safe.

    Out of Scope

    The following are not covered by this policy:

    • Social engineering or phishing attacks against Komori employees or users
    • Denial-of-service (DoS/DDoS) attacks
    • Physical attacks against Komori offices or infrastructure
    • Vulnerabilities in third-party services, libraries, or platforms we do not control

    Contact

    Report vulnerabilities to security@komoricare.com. For general security questions, you can also reach us at hello@komoricare.com.