Effective Date: 1 December 2025
Version: 2.0
Issuing Entities:
- Strategic Global Holdings Pty Ltd (ACN 693 256 503)
- Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.ai / Cushi.app
Governance Oversight: Group CEO, Strategic Global Holdings Pty Ltd
Review Cycle: Annual or earlier if required by law or operational change
1. PURPOSE
This Responsible Disclosure Policy outlines how Superspeed.ai Pty Ltd (“Cushi”) receives, assesses, and responds to good-faith security vulnerability reports. It aligns with:
• ISO/IEC 29147 (Vulnerability Disclosure)
• ISO/IEC 30111 (Vulnerability Handling Processes)
• Australian Privacy Act (APP 11 – Security)
• GDPR/UK GDPR security obligations
• US CFAA/DMCA safe-harbour principles
• EU NIS2 transparency expectations
• Coordinated Vulnerability Disclosure (CVD) global best practice
Cushi extends Safe Harbour protections to researchers worldwide, regardless of jurisdiction, provided actions are lawful, proportionate, non-destructive, and aligned with this Policy.
2. SCOPE
Applies to:
• Cushi web application and website
• APIs, authentication flows, backend services
• AI-enabled features and micro-apps
• Infrastructure under Cushi’s operational control
Excludes:
• third-party systems outside our control
• social engineering, phishing, vishing
• DDoS/DoS traffic
• physical testing
• spam, credential stuffing, brute-force automation
3. PRINCIPLES FOR GOOD-FAITH RESEARCH
Researchers must:
• act responsibly and minimise impact
• avoid accessing or exfiltrating data
• avoid privacy violations
• limit testing to proving the issue
• provide reproducible evidence
• comply with applicable laws
4. GLOBAL SAFE HARBOUR
If acting in accordance with this Policy:
• Cushi will not pursue civil action under CFAA, UK CMA, EU cybercrime equivalents, or similar laws.
• No action will be taken under the Copyright Act or DMCA for good-faith testing.
• Cushi will not report lawful research to law enforcement.
• Contractual or confidentiality restrictions will not be enforced.
• Researchers remain protected even if limited data is accessed accidentally, provided no harm occurs and the data is immediately reported and not retained.
Safe Harbour applies globally to any jurisdiction where Cushi services are accessible.
5. AUTHORISATION BOUNDARY
Authorisation applies only to:
• systems owned or fully controlled by Cushi.
Not authorised:
• testing third-party vendors
• cloud platform infrastructure not directly operated by Cushi
• infrastructure of customers, partners, or other organisations
6. REPORTING A VULNERABILITY
Submit reports to:
security@cushi.ai
Include:
• affected system or URL
• reproduction steps
• expected vs actual behaviour
• potential impact
• optional proof-of-concept
Encrypted communication available on request. Anonymous reports accepted.
7. RESPONSE PROCESS (ISO-ALIGNED)
Cushi follows ISO/IEC 29147 & 30111:
• Acknowledge valid reports within 5 business days
• Triage and severity classification within 10 business days
• Remediation plan within 20 business days for high-severity issues
• Containment and fix cycles based on CVSS severity
• Notification to researcher once resolved
Where third-party dependencies delay remediation, Cushi will communicate revised timelines and coordinate disclosure windows.
8. RECOGNITION
Cushi may, at its discretion:
• acknowledge researchers publicly (with consent)
• provide non-financial recognition for impactful reports
This Policy does not create an entitlement to financial reward.
9. RESEARCHER EXPECTATIONS
Researchers must not:
• publicly disclose vulnerabilities before coordination
• modify, delete, or copy data
• degrade service stability
• perform phishing/social engineering
• attempt privilege escalation beyond proof-of-concept
10. PUBLIC DISCLOSURE WINDOW
Public disclosure is permitted:
• after remediation is confirmed, OR
• 90 days after acknowledgement, unless extended by mutual agreement
Complex fixes requiring third-party coordination may trigger reasonable extensions.
11. THIRD-PARTY COMPONENTS
If a vulnerability involves a third-party provider:
• Cushi will coordinate disclosure with the vendor
• timelines will be shared as transparently as possible
12. PRIVACY, DATA HANDLING & STORAGE
Reports stored securely using encryption and least-privilege access.
Logs retained only for the minimum time required for remediation and audit.
13. CONTACT
Security Team: security@cushi.ai
Superspeed.ai Pty Ltd, Brisbane, Australia
ANNEX A – DEFINITIONS
Vulnerability: Weakness in a system allowing compromise.
Researcher: Individual acting in good faith to report vulnerabilities.
Safe Harbour: Legal protection from punitive action for lawful research.
CVD: Coordinated Vulnerability Disclosure.
Sensitive Data: Regulated or confidential user data.
Version Control, Review & Governance
© 2025 Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.ai / Cushi.app.
Part of the Strategic Global Holdings Pty Ltd Group (ACN 693 256 503). All rights reserved.
Privacy: privacy@cushi.ai | Security: security@cushi.ai | Support: support@cushi.ai