top of page

Corporate Information Security Policy and Public Disclosure Policy
Security Policy

Updated: 7 September 2025

1. Corporate Information Security Policy

As a service to our external stakeholders, this section provides a general overview of the purpose, direction, principles and basic rules of our corporate information security management policy.

​This policy applies to the entire Information Security Management System (ISMS) which is based on ISO 27001-2022, as defined in RubyComm's information security system policy (detailed in a separate document).

2. Goal

The purpose of our Information Security Policy is to establish a framework for the protection of the organization's information assets and is designed to:

  • Protect the organization's information from all threats, whether internal or external, deliberate or accidental. ​

  • Facilitate secure information sharing between RubyComm and external stakeholders or other third parties.​

  • Encourage consistent and professional use of information.​

  • Ensure that all company employees and third parties understand their roles in using and protecting information.​

  • Ensure business continuity and minimize business damage.​

  • Protect the organization from legal liability and the inappropriate use of information.

Roles and Responsibilities
The Chief Information Security Officer (CISO) has overall responsibility for the development, implementation, and ongoing management of RubyComm’s corporate information security policy and all associated procedures. The CISO ensures that security controls remain effective, oversees compliance with regulatory standards, and leads the strategic direction for information security throughout the company.

 

Policy Review and Update Frequency
This policy will be reviewed and updated whenever significant changes occur within the organization’s structure, operations, applicable regulations, or as necessitated by evolving cyber threats. The Chief Information Security Officer (CISO) is responsible for initiating and overseeing the policy review process to ensure its ongoing relevance and effectiveness.

 

Ongoing Employee Training
RubyComm provides ongoing security awareness and training programs for all employees to support and maintain compliance with the IT security policy. This includes regular education on current cyber threats, safe information handling, and best practices to foster a culture of security and minimize risk from human error.

 

Stakeholder Communication of Policy Changes

All material changes, upgrades, or incident-driven revisions to this policy will be promptly communicated to affected stakeholders, including employees, third parties, and external partners as appropriate. RubyComm commits to ensuring that policy updates and key learnings from incidents are disseminated in a timely manner to foster transparency, awareness, and continued organizational compliance

 

For more information regarding our information security system policy, please contact us at info@rubycomm.com 

3. RubyComm Vulnerability Disclosure Policy (Including Public Disclosure Option)

At RubyComm Ltd, we believe in promoting the security of our systems through open collaboration with the security community. We welcome and appreciate vulnerability reports and offer both responsible and public disclosure pathways, as described below.

 

Reporting Security Vulnerabilities
If a vulnerability is discovered, we ask that you report it by emailing us at dpo@rubycomm.com. Your report should include:

  • A summary of the vulnerability

  • Steps to reproduce, with any relevant evidence (screenshots, code, etc.)

  • Assessment of potential risks or impact


Acknowledgment and Remediation Process

  • We will acknowledge receipt of your report within three working days.

  • We commit to providing updates on remediation efforts and may request further information as necessary.

  • We aim to resolve validated vulnerabilities promptly.


Public Disclosure Guidelines

  • RubyComm encourages responsible, coordinated disclosure. However, researchers may publicly disclose vulnerability details if:

      -RubyComm does not acknowledge the initial report within three business days, or
      -RubyComm does not provide a status update or begin remediation within 30 days of the initial report, or
      -A mutually agreed timeline for coordinated disclosure is reached between the researcher and RubyComm.

  • Before public disclosure, researchers are requested to notify RubyComm of their intent at least 48 hours in advance.

  • RubyComm will not pursue legal action against researchers who act in good faith and adhere to these guidelines.

Recognition and Acknowledgment
If desired, researchers will be credited in our public acknowledgements unless they request anonymity.​

Legal Safe Harbor

RubyComm pledges not to initiate legal action against those who:

  • Follow this disclosure policy in good faith.

  • Avoid privacy violations, data destruction, or service disruption.

  • Provide advance notice before public disclosure.

Contact
For questions or to report a vulnerability, contact: dpo@rubycomm.com

bottom of page