Cyber Security and Vulnerability Disclosure Policy
Blade Marine Technologies Limited
Effective Date: March 02 2026
Updated Date: March 02 2026
1. Purpose and Governance Framework
Blade Marine Technologies Limited (“Blade”) maintains a cybersecurity and vulnerability management framework designed to support the confidentiality, integrity, and availability of its systems and services.
Blade’s cybersecurity program is informed by internationally recognized standards and best practices, including principles reflected in:
• ISO/IEC 27001 (Information Security Management Systems)
• ISO/IEC 27002 (Information Security Controls)
• ISO/IEC 29147 (Vulnerability Disclosure)
• ISO/IEC 30111 (Vulnerability Handling Processes)
This Policy outlines Blade’s approach to cybersecurity governance and responsible vulnerability disclosure across its products and digital services.
This Policy does not create contractual rights, warranties, certifications, or guarantees of security.
2. Scope
This Policy applies to Blade-controlled systems, including but not limited to:
• Websites and domains
• Cloud infrastructure and hosted platforms
• Customer portals and dashboards
• Public APIs
• Mobile, desktop, wearable, and web applications
• Embedded firmware and propulsion control systems
• Remote diagnostics and update mechanisms
• Business IT systems and operational platforms
• OEM and integration interfaces
Third-party systems not owned or controlled by Blade are outside the scope of this Policy.
3. Cybersecurity Program
Blade implements administrative, technical, and organizational safeguards appropriate to the nature of its operations. Security controls may include:
• Identity and access management controls
• Role-based authorization
• Encryption of data in transit and, where appropriate, at rest
• Network segmentation and perimeter protections
• Monitoring, logging, and anomaly detection
• Secure development lifecycle processes
• Change management and firmware control procedures
• Incident response planning
• Business continuity measures
• Use of content delivery networks (CDNs), distributed infrastructure, and redundancy mechanisms
Security controls are risk-based and evolve in response to emerging threats, regulatory developments, and operational requirements.
While Blade implements commercially reasonable safeguards consistent with industry practice, no system can be guaranteed to be secure, uninterrupted, or immune from cyber threats.
4. No Security Guarantee
Blade does not warrant or guarantee that:
• Systems will be free from vulnerabilities
• Services will be uninterrupted or error-free
• Data transmissions will be secure
• Cyberattacks, intrusions, or unauthorized access will never occur
All digital systems carry inherent cybersecurity risk. By interacting with Blade systems, users acknowledge and accept such risks to the fullest extent permitted by applicable law.
5. Data Risk Allocation
Users are responsible for maintaining independent backups and safeguards for their own systems and data.
To the maximum extent permitted by law:
• No data transmitted to, stored on, or processed by Blade systems should be considered confidential, private, or immune from risk except where expressly governed by a separate written agreement or mandatory data protection law.
• Blade shall not be liable for loss of data, corruption, unauthorized access, service interruption, ransomware events, denial-of-service incidents, or other cybersecurity-related impacts.
• Blade disclaims responsibility for indirect, consequential, incidental, punitive, or special damages arising from cybersecurity incidents.
Nothing in this section limits non-waivable statutory rights where applicable.
6. Responsible Vulnerability Disclosure
Blade supports coordinated vulnerability disclosure consistent with ISO/IEC 29147 principles.
Security researchers acting in good faith may report potential vulnerabilities to:
Legal at bladeoutboards.com
Reports should include:
• A detailed description of the issue
• Affected system or component
• Reproduction steps (if applicable)
• Supporting evidence
• Contact information
Blade may acknowledge receipt, assess severity, and determine appropriate remediation steps consistent with risk-based prioritization.
7. Good Faith Research Conditions
Security testing must:
• Be conducted in good faith
• Avoid service disruption
• Avoid safety-critical propulsion interference
• Avoid data access beyond what is strictly necessary
• Avoid data exfiltration, destruction, or alteration
• Avoid export control or sanctions violations
• Avoid extortion, coercion, or ransom demands
• Avoid public disclosure prior to coordinated remediation
Testing must never interfere with vessel propulsion systems or maritime safety.
8. Safe Harbor
Blade will not pursue legal action against researchers who:
• Act in good faith
• Comply with this Policy
• Do not exploit vulnerabilities for personal gain
• Do not violate applicable law
Safe harbor does not extend to:
• Unauthorized firmware modification
• Circumvention of technical protection measures
• Data theft or disclosure
• Service disruption
• Intellectual property extraction
• Safety system manipulation
9. Cybersecurity Indemnification
To the maximum extent permitted by law, users agree to defend, indemnify, and hold harmless Blade Marine Technologies Limited and its directors, officers, employees, affiliates, and licensors from and against any third-party claims, damages, losses, liabilities, fines, penalties, and reasonable legal costs arising out of or relating to:
• Unauthorized security testing
• Attempted intrusion or system interference
• Exploitation of vulnerabilities
• Violation of cybersecurity laws or export controls
• Malware introduction or denial-of-service activity
• Integration of Blade systems into insecure environments
• Failure to maintain appropriate independent safeguards
This indemnification applies in addition to any indemnification obligations contained in other governing agreements.
10. Incident Response and Remediation
Blade maintains internal procedures to:
• Detect and assess cybersecurity incidents
• Contain and mitigate threats
• Restore operational integrity
• Deploy patches or firmware updates
• Notify affected parties where required by law
Remediation timelines depend on severity, safety considerations, regulatory requirements, and operational impact.
Blade reserves the right to suspend or restrict access to systems to preserve safety and security.
11. Limitation of Liability
To the fullest extent permitted by law:
Blade shall not be liable for:
• Data loss
• Loss of profits
• Business interruption
• System downtime
• Loss of use
• Reputational harm
• Indirect or consequential damages
Total aggregate liability relating to cybersecurity matters shall be limited as provided in the applicable governing agreement, including the End User License Agreement where applicable.
Under no circumstances shall Blade’s cybersecurity-related liability exceed the limitations set forth in the applicable governing agreement.
12. Policy Modifications
Blade may update this Policy at any time. The current version will be published on official Blade platforms.
Continued use of Blade systems constitutes acknowledgment of any updated version.
13. Force Majeure
Blade shall not be liable for any delay, disruption, vulnerability, security incident response delay, or failure to perform obligations under this Policy resulting from events beyond its reasonable control, including but not limited to:
• Acts of God or natural disasters
• War, terrorism, civil unrest, or sanctions
• Governmental actions or regulatory restrictions
• Cyberattacks, distributed denial-of-service attacks, or widespread internet infrastructure failures
• Telecommunications outages
• Cloud provider or CDN disruptions
• Supply chain interruptions
• Power grid failures
Performance obligations shall be suspended for the duration of the force majeure event and for a commercially reasonable period thereafter necessary to restore affected systems and operations.
14. Assignment
Blade may assign or transfer this Policy, in whole or in part, in connection with a merger, acquisition, corporate restructuring, asset sale, or similar transaction.
No user or third party may assign or transfer any rights or obligations under this Policy without prior written consent from Blade.
15. Survival
The following provisions shall survive termination, suspension, or cessation of use of Blade systems:
• No Security Guarantee
• Data Risk Allocation
• Cybersecurity Indemnification
• Limitation of Liability
• Force Majeure
• Governing Law and Dispute Resolution
• Any provision which by its nature is intended to survive
16. Severability
If any provision of this Policy is determined to be invalid, unlawful, or unenforceable under applicable law, the remaining provisions shall remain in full force and effect.
The invalid provision shall be interpreted or modified to the minimum extent necessary to make it enforceable while preserving its intended purpose.
17. Governing Law and Dispute Resolution
This Policy shall be governed by and construed in accordance with the laws of Hong Kong, without regard to conflict of law principles.
To the fullest extent permitted by applicable law, any dispute, claim, or controversy arising out of or relating to this Policy or cybersecurity matters shall be resolved exclusively by confidential and binding arbitration seated in Hong Kong.
The arbitration shall:
• Be conducted in English
• Be administered by a recognized arbitration institution in Hong Kong
• Be final and binding on the parties
Arbitration shall not be conducted within the United States or under the jurisdiction of any U.S. court.
To the maximum extent permitted by law:
• Class actions, collective proceedings, and representative claims are waived.
• Claims must be brought in an individual capacity only.
Nothing in this section limits non-waivable statutory rights or mandatory dispute resolution mechanisms that cannot legally be excluded.
18. Security Incident Notification and Response (SLA Framework)
18.1 Definition of Security Incident
For purposes of this Policy, a “Security Incident” means a confirmed unauthorized access to, acquisition of, or material compromise of Blade-controlled systems that results in:
• Unauthorized access to personal data where Blade is legally responsible for notification;
• Material corruption or destruction of customer data; or
• Material disruption of core hosted services caused by malicious cyber activity.
Attempted attacks, automated scanning, background internet noise, or events that do not result in confirmed compromise do not constitute a Security Incident under this Section.
18.2 Acknowledgment of Reported Incidents
Upon receipt of a credible report of a potential Security Incident:
• Blade will acknowledge receipt within five (5) business days.
• Blade will initiate internal assessment procedures consistent with its incident response framework.
18.3 Customer Notification Timeline
Where Blade determines that a confirmed Security Incident has occurred and notification is legally required:
• Blade will provide initial notice to affected customers without undue delay and, where applicable law requires, within seventy-two (72) hours of confirmed determination.
• If full details are not yet available, Blade may provide supplemental updates as investigation progresses.
Notification timelines begin upon reasonable confirmation of a Security Incident, not upon first detection of anomalous activity.
18.4 Content of Notification
Where required, notification may include:
• A description of the nature of the Security Incident
• The categories of data affected (if known)
• The likely consequences
• Measures taken or proposed to address the incident
• Recommended mitigation steps for affected parties
Blade may limit technical detail where disclosure would compromise security or ongoing investigations.
18.5 Incident Containment and Remediation
Blade will use commercially reasonable efforts to:
• Contain and mitigate the Security Incident
• Preserve evidence where appropriate
• Restore system integrity
• Implement corrective measures designed to reduce the likelihood of recurrence
Remediation timelines depend on severity, operational complexity, third-party dependencies, and safety considerations.
18.6 Law Enforcement and Regulatory Delay
Notification may be delayed where:
• Law enforcement determines that notification would impede an investigation;
• Regulatory guidance permits delayed disclosure; or
• Immediate notification would materially increase cybersecurity risk.
18.7 Exclusions
Blade shall not be responsible for notification obligations arising from:
• Customer-side security failures
• Insecure integrations or OEM environments
• Third-party platforms not controlled by Blade
• User credential compromise not caused by Blade systems
• Force majeure cyber events impacting global infrastructure
18.8 Limitation of Liability
Nothing in this Section creates:
• A guarantee of incident prevention
• A representation of absolute security
• Expanded liability beyond the limitations set forth in applicable governing agreements
All cybersecurity liability remains subject to the limitation of liability provisions contained in the applicable End User License Agreement or governing contract.
