Effective Date: 1 December 2025
Version: 4.0
Issuing Entity
Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.app
Parent Governance Entity
Strategic Global Holdings Pty Ltd (ACN 693 256 503), Queensland, Australia
Governing Law
Australia
Review Cycle
Reviewed at least annually or earlier where required by law or material operational change.
1. PURPOSE
This Policy sets out how Superspeed.ai Pty Ltd receives and manages good faith security vulnerability reports relating to Cushi.app.
The objective is to encourage responsible disclosure while protecting users, data, and system integrity.
Nothing in this Policy limits or replaces rights or obligations under applicable law.
2. SCOPE
This Policy applies to systems owned and operated by Superspeed.ai Pty Ltd, including:
- The Cushi.app web application
- Public APIs operated by Cushi
- Backend services directly managed by Cushi
This Policy does not apply to:
- Third party infrastructure providers
- Customer systems
- Social engineering
- Denial of service activity
- Physical security testing
- Automated credential stuffing or brute force attempts
3. GOOD FAITH RESEARCH REQUIREMENTS
Researchers must:
- Act in good faith
- Avoid harm, service degradation, or disruption
- Avoid intentional access, modification, or retention of user data
- Limit testing to what is necessary to demonstrate a vulnerability
- Comply with applicable law
If sensitive data is accessed unintentionally, it must not be retained and must be reported immediately.
4. SAFE HARBOUR POSITION
Where a researcher acts in accordance with this Policy and in good faith:
- Cushi.app will not initiate civil proceedings solely for the act of responsible vulnerability reporting
- Cushi.app will consider the context and intent of the research when determining any response
This Policy does not grant immunity from criminal or civil liability where actions are unlawful.
Cushi.app reserves all rights in cases involving bad faith, intentional data exfiltration, service disruption, or malicious conduct.
5. AUTHORISATION BOUNDARY
Authorisation under this Policy applies only to systems directly owned and operated by Cushi.
Testing of:
- Cloud infrastructure not directly controlled by Cushi
- Third party vendors
- Customer environments
- Any system outside Cushi’s operational control
is not authorised under this Policy.
6. REPORTING A VULNERABILITY
Reports should be submitted to:
Reports should include:
- A clear description of the issue
- Steps to reproduce
- Affected systems or URLs
- Assessment of potential impact
Anonymous reporting is permitted.
Encrypted communication may be requested.
7. RESPONSE PROCESS
Upon receiving a report:
- The report will be reviewed to assess validity and scope
- Severity and impact will be evaluated
- Remediation will be prioritised proportionate to risk
Acknowledgement and remediation timelines depend on the nature and complexity of the issue.
Cushi.app does not guarantee fixed remediation deadlines.
Where third party components are involved, coordination may be required.
8. PUBLIC DISCLOSURE
Researchers are requested not to publicly disclose vulnerabilities until:
- A remediation has been implemented; or
- A mutually agreed disclosure timeline has passed
Cushi.app may request reasonable extension of disclosure timelines where remediation is complex or dependent on third parties.
9. DATA HANDLING
Vulnerability reports are handled securely and access is restricted to authorised personnel.
Information provided through the reporting process is retained only as necessary for investigation, remediation, and compliance purposes.
10. LIMITATION OF AUTHORISATION
This Policy does not:
- Authorise intentional data extraction
- Permit persistent or continued access beyond proof of concept
- Override contractual restrictions beyond the scope of this Policy
- Provide blanket legal immunity
Actions outside the scope of this Policy may result in appropriate legal response.
CONTACT
Superspeed.ai Pty Ltd
Brisbane, Australia
security@cushi.app
VERSION CONTROL AND GOVERNANCE
Version 4.0
Effective 1 December 2025
Approved by Chief Executive Officer, Superspeed.ai Pty Ltd© 2025 Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.app
Part of the Strategic Global Holdings Pty Ltd group (ACN 693 256 503)