Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
I write this directly because the issues raised in the latest security report deserve a direct response, not an institutional one.
On May 7, 2026, security researcher Andreas Makris published a detailed report identifying critical vulnerabilities in Yarbo’s remote diagnostics, credential management, and data processing systems. Basic technical results are accurate. I would like to thank Mr. Andreas Makris for his work in identifying these issues and for his persistence in bringing them to our attention. He also recognized that our initial response did not adequately reflect the seriousness of the issues he identified. As a co-founder, I’m responsible for what ships on our products, and I’m responsible for responsiveness.
Our engineering, product, legal, and customer support teams treat remediation as a top priority. What follows is my account of what we found, what we’ve already fixed, what we’re actively fixing, and what we’re committed to changing in how we work moving forward.
Based on our initial review, the issues primarily relate to historical design choices in parts of Yarbo’s remote diagnostics, access management, and data processing systems.
Specifically, some legacy support and maintenance capabilities did not provide users with sufficient visibility or control, and some authentication and credential management mechanisms did not meet the security standards we expect for today’s products.
We’ve also identified areas where access permissions, backend system configurations, and data flows between devices and cloud services require stronger protection and stricter controls.
We recognize the seriousness of these issues and the concerns they may cause for our customers and community. We sincerely apologize for the impact this situation has had, and we are committed to addressing these issues in a transparent and responsible manner.
We’re strengthening system security by reducing legacy access paths, tightening permissions, and moving toward fully auditable credentials at the device level. To illustrate the progress we have made in the reform process, we separate actions that have already been taken from work currently underway.
What we have already done
What we are working on now
Historical servers and legacy access channels will continue to be phased out one by one as part of this overhaul.
We’re also working on accelerating over-the-air security updates and additional server-side protection. The first wave of updates is expected to begin within one week. important: The security firmware update is now being pushed to all Yarbo devices. To receive this update, please connect your Yarbo to the Internet. Once the update is applied, you can return to your preferred network settings. If you prefer to keep your device offline in the meantime, you can do so without affecting your warranty or service coverage. We’ll let you know when the update is ready so you can connect briefly to apply it.
This repair effort is not limited to a single fix or software update. We use this process to enhance the security architecture and long-term management standards of our products.
These efforts include enhancing access control standards, improving authentication and authorization models, increasing user visibility and control of remote diagnostic features, and continuing to reduce unnecessary legacy support mechanisms across related systems and infrastructure.
We will also continue to expand our internal security review, remediation and governance processes to support stronger security practices long term into the future. Our goal is to ensure that security, transparency and user trust are built into the foundation of future Yarbo systems and services.
Some items in the external report describe real security issues, while others require clarification because they do not apply to currently shipped Yarbo products or do not represent independent vulnerabilities.
Automatic restart and stability of FRP
The report also mentions that the FRP client may be restarted through scheduled tasks or service recovery mechanisms. We realize that this can make manual disabling of remote access channels more difficult, but the underlying issue is the existence, permissions, and policy of the remote tunnel itself. Our remedy focuses on disabling or restricting tunnels, providing allowlisting and auditability, and removing unnecessary persistent remote access paths.
File monitoring and self-recovery
The report indicates file monitoring behavior that can restore some deleted files or services. This mechanism was originally designed as a defensive reliability measure to prevent critical service files from being accidentally deleted or corrupted. By itself, it was not intended to function as a remote access feature.
However, we recognize that any mechanism that makes it difficult for users to remove components related to remote access can create trust concerns. We review which files should continue to be protected and which components should be removed, simplified, or placed under user control.
Historical or non-productive formations
Some results include historical infrastructure, legacy cloud services, vendor-specific customizations, or internal testing configurations. These remain under review and are cleaned up as necessary, but should be differentiated from the default behavior of currently shipped production units.
Our goal is to be precise: we will not downplay proven security issues, but we also want users to understand which findings apply to production devices, which apply only to historical or custom configurations, and which are being addressed as part of broader hardening efforts.
To improve security reporting in the future, we are launching a dedicated security response channel and security communication process for vulnerability reports and responsible disclosure:
The public will also be able to find our security contact information on the website Yarbo Security Center The page is under the “Explore” section on our official website.
We are also exploring the possibility of creating a formal bug bounty program as part of our broader, long-term security initiatives.
We value the role that independent security researchers play in responsibly identifying potential issues, and we remain committed to enhancing the security, transparency, and trustworthiness of our products.
As investigation and repair work continues, I will provide further updates as they become available.
Kenneth Coleman
Co-Founder, Yarbo
New York