Vulnerability Disclosure Policy

Effective Date: 1 March 2026 Last Updated: 1 March 2026

This policy describes how to report security vulnerabilities in Brain OS and how we handle them. Brain OS is developed by Wallin Solutions AB.

Scope

This policy applies to security vulnerabilities in:

  • Brain OS — the operating system (backend, frontend, kernel modules, OS configuration)
  • brainos.wallinsolutions.se — the product website

This policy does not cover:

  • Third-party applications installed through the Brain OS app store (report to the upstream project)
  • Hardware vulnerabilities in the host hardware itself
  • Social engineering or phishing attacks

How to Report a Vulnerability

Email: robban@wallinsolutions.se

Please include the following in your report:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue (as detailed as possible)
  • The affected component (backend, frontend, kernel module, OS, website)
  • Your Brain OS version (shown in Settings > About)
  • Any proof-of-concept code or screenshots

Do not disclose the vulnerability publicly until we have released a fix and coordinated disclosure timing with you.

What to Expect

SeverityAcknowledgmentTriagePatch Target
Critical24 hours48 hours7 days
High48 hours5 business days30 days
Medium5 business days14 days90 days
Low14 business days30 daysNext release
These are our targets. Complex issues may take longer, but we will keep you informed of progress.

Critical vulnerabilities under active exploitation will be escalated to the ENISA Single Reporting Platform within 24 hours, in accordance with EU Cyber Resilience Act Article 14.

Safe Harbour

We will not take legal action against security researchers who:

  • Act in good faith and follow this disclosure policy
  • Do not access, modify, or delete data belonging to other users
  • Do not disrupt Brain OS services or infrastructure
  • Report the vulnerability directly to us before public disclosure
  • Give us a reasonable time to address the issue before disclosure

Coordinated Disclosure

We believe in coordinated disclosure. When you report a vulnerability:

1. We will work with you to understand and validate the issue 2. We will develop and test a fix 3. We will coordinate a public disclosure date with you 4. We will credit you in our security advisory (unless you prefer to remain anonymous)

We aim to coordinate disclosure within 90 days of the initial report for non-critical issues. For critical issues under active exploitation, we may need to release a fix faster.

EU Cyber Resilience Act (CRA) Compliance

Brain OS is subject to the EU Cyber Resilience Act (Regulation 2024/2847). In compliance with Article 14, we report actively exploited vulnerabilities and severe security incidents to the relevant Computer Security Incident Response Team (CSIRT) via the ENISA Single Reporting Platform.

Our reporting obligations:

  • 24 hours — Early warning to CSIRT upon becoming aware of an actively exploited vulnerability
  • 72 hours — Full vulnerability notification with technical details and initial assessment
  • 14 days after patch — Final report with root cause analysis and remediation details

Contact

Security reports: robban@wallinsolutions.se General inquiries: robban@wallinsolutions.se PGP key: Not currently available

security.txt: https://brainos.wallinsolutions.se/.well-known/security.txt