Vulnerability Information Disclosure Policy
Vulnerability Information Disclosure Policy
To ensure that customers can use its products and services with confidence, BMT Group collects vulnerability information related to its offerings, conducts impact assessments, and evaluates associated risks in accordance with this Policy.
Should a vulnerability be confirmed, the Group will appropriately disclose the relevant information and recommended countermeasures. Furthermore, the Group actively promotes these initiatives through its participation in the Information Security Early Warning Partnership and the CVE Program.
Vulnerability Information Collection
We actively gather information regarding vulnerabilities in the products and services we provide. If you discover a vulnerability related to BMT Group products or services, please email the BMT Cybersecurity Team at cybersecurity@bmtech.com or contact a relevant domestic or international coordinating body.
When contacting us, please ensure that your message includes at least the following information:
- The name of the affected product(s) or service(s)
- A description of the vulnerability and its potential impact
If contacting us via email, please encrypt your message using PGP. We will acknowledge receipt of your report (hereinafter referred to as the "Reporter") typically within three business days of receiving the communication. However, please note that there may be delays during specific periods (such as holidays).
We may not elect to take action if we determine that a report falls outside the scope of this policy.
Investigation and Countermeasures
We promptly disseminate information regarding reported vulnerabilities throughout BMT Group and conduct an investigation.
If the investigation confirms the existence of a new vulnerability in BMT Group products or services, we assess its potential impact and associated risks. Should this assessment determine that risk mitigation is required, we formulate and prepare appropriate countermeasures while coordinating with relevant stakeholders as necessary.
If it is determined that the reported issue does not constitute a new vulnerability, we coordinate with the Reporter to conclude the handling process.
Information concerning vulnerabilities and countermeasures is managed with strict confidentiality within BMT Group and is never disclosed to third parties prior to public release.
Communication with Reporters
We will engage in appropriate communication with the Reporter and provide updates on the status of our investigation and response in at least the following cases:
- When a new vulnerability is confirmed in a BMT Group product or service
- When our judgments and assessments change as a result of an impact survey or risk assessment
- When coordination with a third party other than the Reporter becomes necessary
- When preparing for public disclosure
- When the response process has been concluded
We may request your assistance. Communication with the Reporter will be conducted via email. To prevent the unintentional disclosure of the content of our communications to third parties, we may request that you use encryption.
Furthermore, BMT Group will not initiate legal action against a Reporter for communications or cooperation provided in good faith.
Publication
Based on the results of our assessment, if we determine that risk mitigation is required, we will disclose information regarding the vulnerability along with recommended countermeasures at an appropriate time via the BMT Group website, JVN, or other channels.
If a CVE ID has not yet been assigned to the vulnerability being disclosed, BMT Group, acting as a CNA (CVE Numbering Authority), will obtain a CVE ID and include it in the published information.
In cases where we determine that a vulnerability may potentially impact specific customers, such as those utilizing products or services related to social infrastructure, we may also contact those customers individually through our sales representatives or other designated channels.
Acknowledgments
Acknowledgments will be posted at the time of publication with the consent of those who have contributed to the discovery or resolution of vulnerabilities in BMT Group products and services.
Update History
Published on May 1, 2026
