Vulnerability Disclosure Policy

Version: 1.0 · Effective date: May 2026 · Review cycle: annually, or on material change.

Bleta Solutions, S.L. (“Bleta”) welcomes reports from security researchers and from any user who identifies a security issue in our products. This Policy describes how to report a vulnerability and what to expect from us. It is published in compliance with Regulation (EU) 2024/2847 (the Cyber Resilience Act, “CRA”), Annex II §5.

Scope

This Policy covers all Bleta products with digital elements that are placed on the EU market:

• Bleta Tab (kit including the tablet, the pre-installed Bleta Launcher, and accessories).
• Bleta Launcher software, as deployed via the Bleta Tab and any future channel.
• The Bleta-controlled web properties at bleta.io related to product compliance and support: /conformity/..., /privacy/..., /manual/..., /security, /.well-known/security.txt.

Vulnerabilities in third-party components (the underlying Android operating system, Google Mobile Services, Lenovo firmware on the underlying TB311XU hardware) should be reported to the respective vendors. Bleta will, on a best-effort basis, help route such reports to the appropriate vendor.

How to report

• Primary channel: email security@bleta.io.
• Machine-readable contact information: https://bleta.io/.well-known/security.txt (RFC 9116).

When reporting, please include:

• A clear description of the vulnerability and its potential impact.
• Steps to reproduce, ideally with the product version or environment details.
• Any proof-of-concept, log excerpt or screenshot that helps us reproduce.
• Whether you have any reason to believe the vulnerability is being actively exploited.

What you can expect from us

• Acknowledgement of your report.
• Ongoing communication about progress, at a cadence proportionate to the severity of the issue.
• Coordinated disclosure: where appropriate, we agree a disclosure timeline with you. Default expectation: public disclosure once mitigation has been deployed, with a reasonable embargo period to allow patches to reach the fleet.
• Notification to you when the issue is fixed and the public advisory is published.

Active exploitation

If you have evidence that the vulnerability is being actively exploited in the wild against a Bleta product, please flag this prominently in your report. Bleta is subject to the Cyber Resilience Act mandatory notification obligation to ENISA within 24 hours of becoming aware of such cases (CRA Art. 14, in force from 11 September 2026), and your prompt flag helps us comply.

Safe harbour

Bleta will not pursue civil or criminal action, nor request that law-enforcement do so, against security researchers who:

1. Make a good-faith effort to comply with this Policy.
2. Test only against the scope defined above.
3. Avoid privacy violations, destruction of data, and interruption or degradation of our services.
4. Do not access, store, transfer or modify any user data that is not strictly necessary to demonstrate the vulnerability.
5. Give Bleta reasonable time to investigate and mitigate before publishing details.

This safe harbour does not extend to activities that are unrelated to identifying vulnerabilities in good faith (e.g., extortion, public ridicule, attacks on Bleta’s customers).

Out of scope

The following do not qualify as security vulnerabilities for the purposes of this Policy:

• Findings on third-party services or products that Bleta does not control (Android OS issues belong to Google / Lenovo; cloud-provider issues belong to the provider).
• Theoretical vulnerabilities without demonstrable security impact.
• Reports that depend on physical access to the device for arbitrarily long periods, or that depend on the user being deliberately tricked into installing malicious software outside the Bleta Launcher distribution channel.
• Issues already known and being addressed by Bleta or by an upstream vendor.
• Social-engineering of Bleta staff or partners.
• Volumetric attacks (denial of service, brute force) against Bleta infrastructure.

Changes to this Policy

This Policy is reviewed at least annually and on any material change to Bleta’s products, regulatory environment, or operational practices. The version and effective date are at the top of this document. Previous versions are archived on request.

Contact

• Security reports: security@bleta.io
• General contact: contact@bleta.io
• Manufacturer of record: Bleta Solutions, S.L. · Av. Maresme 70 Bis, Nave 6, Planta 1, 08940 Cornellà de Llobregat, Barcelona, Spain · VAT ESB06961601
• Person responsible for compliance information under Article 4 of Regulation (EU) 2019/1020: Bleta Solutions, S.L. (same as manufacturer above) · contact@bleta.io