top of page

Vulnerability Disclosure Policy & Security Update Priority Policy

1. Introduction

Asuka Company Limited ("the Company") regards the security of our IoT products (communication modules, smart meter systems, etc.) as a top priority.

This policy defines the procedure by which anyone who discovers a security vulnerability in our products can report it safely and promptly. We welcome good-faith vulnerability reports and are grateful for the cooperation of security researchers and users.

2. Security Contact

If you discover a security issue in any of our products, please contact us at the following address:

Contact

Asuka Company Limited
sales@asuka-solution.com

For customers in Japan

When making a report, please provide as much of the following information as possible:

  • Product name, model number, and firmware version

  • Nature of the vulnerability and its potential impact

  • Steps to reproduce (if applicable)

  • Date of discovery and your contact details

3. Handling Procedure After Receiving a Report

Upon receiving a security vulnerability report, the Company will follow the procedure below:

  1. Acknowledgement: We will contact the reporter to confirm receipt of the report and assign it to the appropriate team for review.

  2. Investigation & Assessment: We will investigate the reported vulnerability, assess its severity (using the severity classification defined in our Security Update Priority Policy), and communicate the findings to the reporter.

  3. Patch Development & Testing: We will develop a fix or firmware update, prioritised according to the vulnerability's severity level, and conduct thorough testing before release.

  4. Update Distribution: The patched firmware will be distributed to affected products via OTA (Over-The-Air) update. The reporter will be notified when distribution begins.

  5. Closure & Disclosure: After remediation, we will publicly disclose information about the vulnerability at an appropriate time, in consultation with the reporter regarding timing.

Legal Safe Harbour: The Company will not take legal action against individuals who report vulnerabilities in good faith in accordance with this policy. Personal information provided by reporters will be handled in accordance with our Privacy Policy.

4. Status Updates Until Resolution

While a reported vulnerability is being addressed, the Company will provide status updates to the reporter on the following schedule:

  • Acknowledgement: Confirmation email sent upon receipt of the report

  • Investigation result: Initial findings and severity assessment communicated after investigation is complete

  • Progress updates: Regular updates provided until a fix is developed and deployed

  • Completion notice: Notification sent upon completion of update distribution

 

For severity classification details, please refer to the Security Update Priority Policy below.

5. Purpose

This policy defines the criteria used to determine the priority of updates in response to security vulnerabilities or issues discovered in our IoT products.

 

The Company is committed to responding promptly to high-severity security issues. Firmware updates are distributed securely through the appropriate remote update channel for each product.

6. Severity Classification

Discovered vulnerabilities are classified into four severity levels and addressed with priority proportional to severity.

Severity - Definition / Examples 

Critical Vulnerabilities allowing unauthenticated remote takeover of the product, or exposure of cryptographic keys and credentials. Capable of causing serious harm immediately.

High Vulnerabilities enabling authentication bypass or unauthorised access to critical functions. High likelihood of exploitation.

Medium Vulnerabilities exploitable under specific conditions with limited impact, but requiring remediation.

Low Vulnerabilities with low likelihood of exploitation or minimal impact, suitable for resolution in a scheduled update.

* Response timelines are determined individually based on the complexity and scope of each vulnerability. Reporters will be notified directly.

7. Update Distribution Method

Security updates are distributed through the following methods:

  • Remote update (OTA): Where supported, firmware is automatically distributed from the server via OTA (Over-The-Air) — no on-site work required. Products without remote update capability are updated via a configuration tool or manual procedure.

  • Signed firmware: All firmware updates are digitally signed. The device verifies the signature before applying any update; tampered firmware is automatically rejected.

  • Encrypted channel: All update distribution uses industry-standard encrypted communication protocols to protect data in transit.

  • Notification: System administrators will be notified when critical security updates become available.

8. Scope & Support Period

This policy applies to the following products:

  • IoT Gateway Communication Modules

  • Smart Meter Systems

  • And related server software and firmware

The security support period for our products is the warranty period (1 year from the date of shipment). Extended support beyond the warranty period may be available through a paid maintenance agreement, subject to individual discussion and agreement. Please contact us for details. Users will be notified in advance of any planned end-of-support date.

sales@asuka-solution.com

045-306-5957 

Room No.911,
9F, A-PLACE Bashamichi
4-43 Honcho, Nakaku, Yokohama,
231-0005, Japan

©2026 by Asuka Solution Company Ltd.

bottom of page