Vulnerability Disclosure Policy

Last updated: 31 March 2026

1. PURPOSE

This Vulnerability Disclosure Policy (“Policy”) sets out JTI International SA’s (“JTI”, or “us” / “we” / “our”) approach to receiving, managing, and responding to reports of security vulnerabilities in devices manufactured and supplied by us that fall within the definition of “relevant connectable products” under the UK Product Security and Telecommunications Infrastructure Regulations 2023 (the “Regulations”). This Policy reflects our commitment to product safety and consumer protection

2. SCOPE

We supply certain relevant connectable products, including but not limited to the Ploom aura portfolio, as defined under section 4 of the Product Security and Telecommunications Infrastructure Act 2022. Such products constitute consumer devices that are internet-connectable or network-connectable, and these are subject to the minimum security requirements set out in Schedule 1 of the Regulations.

This Policy applies to any security vulnerabilities in such products that you are considering reporting to us.

3. REPORTING A VULNERABILITY

We welcome reports from security researchers, customers, and other stakeholders who identify potential security vulnerabilities in our products.

If you have identified a potential security vulnerability with one of our products, please use the following email link to submit a report:

No personal information is required to submit a report. Reports may be submitted anonymously. In the event that you choose to provide your personal information when you submit a report to us, please read our Privacy Policy for information on how we use your personal data.

4. WHAT TO INCLUDE IN YOUR REPORT

To help us assess and respond effectively, please include:

(a) a description of the security vulnerability;

(b) any relevant screenshots, pictures, website links or pages where the security vulnerability can be observed (as applicable);

(c) the model and version of the affected product (as applicable); and

(d) your contact details for follow-up (optional).

5. OUR COMMITMENT TO RESPOND

Where you have elected to provide us with your contact information, upon receiving a valid report, we will:

(a) acknowledge receipt within 5 working days;

(b) provide updates every 30 days on progress and resolution; and

(c) notify you when the issue has been resolved.

6. RESPONSIBLE DISCLOSURE EXPECTATIONS

We ask that reporters:

(a)  avoid accessing, modifying, or deleting data that does not belong to them;

(b) do not disrupt services or systems;

(c) comply with all applicable laws, including the Computer Misuse Act 1990, the UK GDPR and the Data Protection Act 2018; and

(d) allow us reasonable time to investigate and resolve the issue prior to any public disclosure.

7. CONTACT

For questions about this policy or to report a security vulnerability, please contact us using the details in paragraph 3 above.