Secure & Responsible Disclosure Policy

FluidCore Systems™ is committed to maintaining robust cybersecurity, operational resilience, and data protection standards across its global infrastructure and digital ecosystem.

Security controls are implemented across all components of the platform, including, without limitation:

— Industrial dispensing equipment and associated hardware systems

— Embedded firmware and device-level software

— Cloud infrastructure and SaaS platform environments

— API integrations and external partner interfaces

— Payment integrations (via PCI-DSS compliant providers)

— Telemetry, monitoring, and remote management systems

We apply layered administrative, technical, and organizational safeguards aligned with recognized international security frameworks and industry best practices, including, where applicable:

— ISO/IEC 27001 information security principles

— NIST cybersecurity guidance

— Secure software development lifecycle (SSDLC) practices

— Industrial system security standards

— Payment security standards applicable to integrated providers

Security governance includes risk assessment, access control management, system monitoring, incident response procedures, and periodic review of security controls.

FluidCore Systems™ supports responsible and coordinated vulnerability disclosure as part of its ongoing commitment to protecting customers, partners, and system integrity.

We encourage good-faith security research conducted in accordance with this Policy.

If you believe you have identified a potential security vulnerability affecting any component of the FluidCore Systems™ ecosystem, including but not limited to:

— fluidcoresystems.com

— Cloud platform infrastructure

— Device firmware or embedded systems

— API endpoints and integrations

— Data transmission mechanisms

— Authentication or access control systems

we encourage responsible, good-faith, and confidential disclosure in accordance with this Policy.

Security researchers are expected to act in a manner that avoids harm to users, customers, partners, infrastructure, or data.

Vulnerability reports should be submitted to:

security@fluidcoresystems.com

Reports should include sufficient technical detail to enable timely validation, reproduction, and impact assessment of the issue, including:

— A clear description of the vulnerability

— The affected component or system

— Steps to reproduce the issue

— Potential security impact

— Any relevant supporting materials (e.g., logs, screenshots, proof-of-concept data)

Reports submitted in good faith and in compliance with this Policy will be handled confidentially and reviewed in accordance with coordinated vulnerability disclosure principles.

FluidCore Systems™ reserves the right to determine the scope, severity classification, remediation approach, and disclosure timeline for reported vulnerabilities.

When submitting a vulnerability report, please include sufficient information to enable effective assessment and remediation, including:

— A clear and concise description of the identified issue

— The affected system, component, application, firmware, or endpoint

— Step-by-step reproduction details, including any required configuration

— An assessment of the potential security impact and risk

— Supporting evidence (e.g., logs, screenshots, proof-of-concept materials, technical traces)

Reports that lack sufficient detail may delay validation and response.

Researcher Responsibilities

Security research must be conducted in good faith and in a manner designed to avoid harm. Researchers must:

— Refrain from exploiting vulnerabilities beyond what is strictly necessary to demonstrate proof of concept

— Avoid accessing, modifying, exfiltrating, or deleting data that does not belong to them

— Avoid accessing customer production environments unless explicitly authorized

— Avoid disrupting live systems, operational services, or industrial equipment

— Refrain from denial-of-service (DoS), stress testing, or load testing

— Avoid social engineering, phishing, impersonation, or physical intrusion attempts

— Avoid testing third-party systems not owned or operated by Rockart Inc.

All testing must be conducted responsibly and in a manner that preserves system integrity, user privacy, operational continuity, and legal compliance.

Failure to comply with these guidelines may result in withdrawal of protections provided under this Policy and may expose the individual to applicable legal consequences.

This Policy applies solely to digital assets and systems that are owned and operated by Rockart Inc. under the FluidCore Systems™ ecosystem, including, where publicly accessible:

— Public website infrastructure (including fluidcoresystems.com and associated subdomains)

— Cloud platform components and SaaS environments

— Public API endpoints and documented integrations

— Public-facing device interfaces and remote management interfaces

Only systems explicitly owned and operated by Rockart Inc. are within scope.

Out of Scope

This Policy does not authorize testing, access, or interaction with:

— Third-party infrastructure, cloud hosting providers, or data centers

— Payment processors, acquiring banks, or financial institutions

— Partner-operated systems or customer-managed environments

— Internal corporate systems not publicly accessible

— Physical tampering, hardware manipulation, or on-site interaction with deployed industrial equipment

— Any system or asset not expressly identified as in-scope

Testing activities that extend beyond the defined scope, including actions affecting third-party systems or production customer environments, are not authorized under this Policy.

Activities outside the defined scope may be considered unauthorized and may be subject to applicable civil, contractual, or criminal laws.

Rockart Inc. reserves the right to modify the scope of this Policy at any time

Upon receipt of a valid vulnerability report submitted in accordance with this Policy, Rockart Inc. will:
— Acknowledge receipt within a reasonable timeframe
— Perform an initial review and severity assessment
— Investigate the reported issue in a responsible and timely manner
— Determine appropriate remediation measures based on risk evaluation
— Work toward resolution consistent with operational and security priorities
— Maintain the confidentiality of the reporter upon request, subject to legal obligations
Where appropriate, Rockart Inc. may engage in coordinated disclosure discussions with the reporting party.
Safe Harbor
Rockart Inc. will not initiate legal action against individuals who:
— Act in good faith
— Comply fully with this Policy
— Avoid exploitation beyond what is strictly necessary to demonstrate proof of concept
— Do not intentionally access, alter, or exfiltrate data beyond authorized testing boundaries
Nothing in this Policy limits obligations imposed by applicable law or regulatory authorities.
This safe-harbor assurance applies solely to activities conducted strictly within the scope and conditions of this Policy.
This statement does not grant immunity for actions that:
— Exceed authorized scope
— Cause service disruption or harm
— Violate applicable laws
— Target third-party systems
Rockart Inc. reserves all legal rights in cases of malicious, reckless, or unlawful conduct.

FluidCore Systems™ implements layered administrative, technical, and organizational security controls designed to protect system integrity, confidentiality, and availability across its ecosystem.

Security controls include, without limitation:

— Encrypted communications using industry-standard cryptographic protocols (e.g., TLS/HTTPS)

— Role-based access control (RBAC), least-privilege principles, and strong authentication mechanisms

— Secure cloud infrastructure architecture with logical and physical safeguards

— Network segmentation, environment isolation, and separation of production and non-production systems

— Continuous system monitoring, logging, and audit trail retention

— Firmware integrity verification, secure boot processes, and controlled update mechanisms

— Secure software development lifecycle (SSDLC) practices and code review procedures

— Vulnerability management, patch management, and periodic security assessments

— PCI-DSS compliant payment integrations (via certified third-party providers)

— Ongoing threat detection, incident response readiness, and security governance processes

Security controls are periodically reviewed and evaluated through risk-based assessments.

The security architecture is subject to continuous improvement and may evolve in response to emerging threats, regulatory developments, technological advancements, and industry best practices.

Nothing in this Policy constitutes a guarantee that the Service is immune from security incidents. Security measures are designed to reduce risk, not eliminate it entirely.

Security controls are implemented on a risk-based approach.

Specific certifications, compliance standards, audit regimes, and regulatory controls may vary depending on deployment jurisdiction, contractual framework, and applicable industry requirements.

This Policy does not create any legally binding service level commitments or contractual security guarantees unless expressly set forth in a separately executed written agreement.

In the event of a confirmed security incident involving personal data, notification will be provided in accordance with applicable legal and contractual obligations.

Unless expressly stated in a separately published and formally documented program, this Policy does not constitute a bug bounty program and does not create any obligation on the part of Rockart Inc. to provide monetary compensation, rewards, or any other form of consideration.

Submission of a vulnerability report does not create any contractual relationship, employment relationship, agency relationship, or entitlement to payment.

Any compensation, if offered, shall be:

— At the sole discretion of Rockart Inc.

— Subject to a separate written agreement

— Conditioned upon full compliance with this Policy

— Subject to applicable legal, tax, and regulatory requirements

Rockart Inc. reserves the right to determine eligibility, scope, valuation, and any conditions associated with discretionary rewards.

Nothing in this Policy guarantees acknowledgment, remediation timelines, public recognition, or financial reward.

Reported vulnerabilities must not be publicly disclosed, published, shared with third parties, or otherwise communicated externally until:

— The issue has been fully remediated; or

— A coordinated disclosure timeline has been formally agreed upon in writing between Rockart Inc. and the reporting party.

Rockart Inc. follows coordinated vulnerability disclosure principles, which may include:

— Internal validation and severity assessment

— Risk evaluation and remediation planning

— Controlled communication with affected stakeholders

— Agreement on disclosure timing where appropriate

Premature public disclosure may:

— Increase risk to customers, partners, and system integrity

— Expose systems to exploitation

— Interfere with remediation efforts

Public disclosure made prior to coordinated agreement may result in withdrawal of protections provided under this Policy, including safe-harbor assurances.

Nothing in this Section limits Rockart Inc.’s ability to disclose vulnerability information where required by law, regulatory authority, or security necessity.

Nothing in this Policy shall be construed to:

— Grant authorization to access, modify, copy, exfiltrate, or retain data beyond what is strictly necessary to demonstrate the existence of a reported vulnerability

— Provide permission to bypass authentication mechanisms, access controls, encryption safeguards, or other security protections except to the minimum extent required for proof of concept

— Authorize testing against systems, environments, or assets outside the defined scope of this Policy

— Waive, limit, or otherwise impair any legal rights, claims, defenses, or remedies available to Rockart Inc.

— Create any contractual relationship, license, or obligation beyond those expressly set forth in this Policy

Authorization under this Policy is strictly limited to good-faith security research conducted within the defined scope and conditions herein.

Testing, access, or activity conducted outside the bounds of this Policy, including excessive data access, system disruption, or targeting of third-party systems, may be considered unauthorized and may be subject to applicable civil, contractual, or criminal legal action.

Rockart Inc. expressly reserves all rights not expressly granted under this Policy.

Rockart Inc. reserves the right to update, amend, or modify this Security & Responsible Disclosure Policy at any time, at its sole discretion.

The most current version of this Policy will be published on the official FluidCore Systems™ website and will supersede any prior versions upon publication.

Continued submission of vulnerability reports or continued interaction with systems covered by this Policy after publication of an updated version constitutes acceptance of the revised Policy.

Material changes may be reflected through an updated “Effective Date” at the top of this document.

Nothing in this Section limits Rockart Inc.’s right to enforce prior versions of this Policy with respect to actions occurring before an update becomes effective.

For security-related reports, vulnerability disclosures, or coordinated vulnerability disclosure inquiries, please contact:

Email: security@fluidcoresystems.com
Attn: Security Response Team
Operated by: Rockart Inc.
State of Delaware, United States

Reports should be submitted in accordance with this Policy and include sufficient detail to enable timely assessment and response.

We encourage responsible, good-faith, and confidential reporting.

All submissions will be handled in accordance with this Policy and applicable legal, regulatory, and corporate governance standards.

Submission of a report does not create a contractual relationship or entitlement to compensation unless expressly agreed in writing.