Vulnerability Disclosure Policy

1. Purpose

Billion Electric Japan Co., Ltd. (hereinafter "the Company") establishes this policy to define the procedures for receiving and handling vulnerability reports concerning our products, in order to continuously improve product security.

2. Scope

This policy applies to the Company's IoT products covered by the JC-STAR conformity label.

3. Security Vulnerability Reporting Contact

If you discover a security vulnerability in our products, please contact us via email at the dedicated address below.

This contact is dedicated to vulnerability reports. For general inquiries (repair, purchase, usage, etc.), please use our standard contact channels.

4. Information to Include in Your Report

To facilitate efficient review of your report, please provide the following information to the extent possible. You can use the button below to launch a pre-formatted email.

📧 Open Email Template (Start Reporting)

5. Response Procedure After Report Receipt

Upon receipt of a report, we will follow the procedure below.

1. Receipt Confirmation: We will send a confirmation of receipt within 10 business days of receiving the report.
2. Analysis: We will review and analyze the report. As needed, we will coordinate with the manufacturer (NoonSpare Energy Technology Co., Ltd.) to verify reproducibility and assess the scope of impact.
3. Response Planning: Based on the verification results, we will determine the remediation priority and response schedule.
4. Remediation Development: We will develop and test patches or mitigations.
5. Advisory Publication: Upon completion of remediation, we will publish the affected scope, response measures, and information on obtaining the fix on our Security Advisories page.
6. Reporter Notification: If contact information has been provided, we will notify the reporter of remediation completion.

Our standard target for resolution is within 90 days of report receipt. Depending on the severity of the vulnerability, scope of impact, and complexity of the technical analysis required, this period may be extended. In such cases, we will provide status updates to the reporter as appropriate.

6. Status Updates Until Resolution

During the period until resolution, we will provide status updates to the reporter as appropriate. Upon resolution, we will publish the affected scope, response measures, and fix information on our Security Advisories page for general users.

7. Legal Safe Harbor for Good-Faith Reporters

The Company will not pursue legal action against individuals who report vulnerabilities in good faith and in accordance with this policy. However, the following activities are not covered by this safe harbor:

• Attacks intended to cause service disruption or performance degradation
• Unauthorized acquisition, storage, or disclosure of personal or confidential information
• Activities that cause harm to third parties
• Activities that violate applicable laws or regulations
• Use of vulnerability information for extortion or financial demands

8. Manufacturer's Vulnerability Disclosure Policy

The manufacturer of our IoT products, NoonSpare Energy Technology Co., Ltd.(Taiwan), also publishes its own vulnerability disclosure policy (in Chinese and English) on its website.

View Manufacturer's Policy →

Sales and support of our IoT products in the Japanese market are handled by the Company. Vulnerability reports from customers in Japan are received at the contact listed on this page (psirt@billion.com) in Japanese or English, and we coordinate with the manufacturer as needed to address the issue.

9. Revision History