Kuanzhai Vulnerability Disclosure Policy
Effective Date: 01 June 2025
Last Updated: 01 June 2025
At Kuanzhai, we are committed to ensuring the security and privacy of our products, users, and systems. We welcome responsible security disclosures and believe in working with the cybersecurity community to strengthen our digital infrastructure.
This policy outlines how security researchers and ethical hackers can responsibly disclose potential vulnerabilities in Kuanzhai products, services, or digital platforms.
- Our Commitment to Security
Kuanzhai is dedicated to designing and maintaining secure systems, websites, and connected smart vape devices. We recognize that responsible security testing helps prevent harm and strengthen user trust.
We commit to:
Investigating all legitimate vulnerability reports
Responding in a timely and respectful manner
Remediating verified vulnerabilities where appropriate
Maintaining open and responsible communication - Scope of This Policy
This policy applies to the following systems:
www.kuanzhai.co.uk and all subdomains
Kuanzhai mobile apps and APIs
Connected Kuanzhai smart vaping devices and IoT firmware
Authentication and subscription systems
Telemetry and data dashboards linked to Kuanzhai services
We do NOT authorize:
Physical testing or onsite security audits
Social engineering, phishing, or impersonation
DDoS, brute-force, or automated scanning
Unauthorized access to or modification of user data - How to Report a Vulnerability
If you discover a vulnerability, email us at:
📧 security@kuanzhai.co.uk
Please include:
A clear description
Steps to reproduce
System or product version
Screenshots or proof-of-concept (if applicable)
Your contact info (optional)
🔐 PGP encryption available upon request. - Responsible Disclosure Guidelines
We ask that you:
Do not exploit the vulnerability
Avoid accessing user data
Refrain from public disclosure until remediation is complete
Always act in good faith and within legal boundaries - What You Can Expect from Us
We assess reports using CVSS v3.1 and prioritize based on impact.
Timelines:
Acknowledge within 72 hours
Provide a resolution plan or update within 10 business days (for high-severity)
If validated, we may:
Credit you (with permission) on our Security Research Hall of Fame
Offer written acknowledgment - Legal Safe Harbour
If you follow this policy:
Kuanzhai will not initiate legal action
Your research is considered authorized under UK law
We support ISO/IEC 29147 and CVD best practices - Coordinated Public Disclosure
If resolution is not reached within 90 days of acknowledgment, and you have acted responsibly, we support public disclosure with final notice to us. - Platforms and Future Submissions
We currently accept reports via email.
We are exploring integration with HackerOne, Bugcrowd, or similar platforms. - Updates to This Policy
We may update this policy over time. The latest version will always be published at:
www.kuanzhai.co.uk/vulnerability-disclosure - Contact
OXO3 LTD
Trimex House, Pier Road, Feltham, TW14 0TW
📧 Email: security@kuanzhai.co.uk
We thank all ethical hackers and researchers who help us protect our users through responsible disclosure.