Our commitment
Security matters to us, and we welcome reports from clients and security researchers who help us keep SEAES HMS safe. This policy explains how to report a vulnerability responsibly and what we commit to in return.
How to report
Email [email protected] with the subject line Security. To help us investigate quickly, please include:
- the product or URL affected, and the version if known;
- a clear description of the issue and its potential impact;
- step-by-step instructions to reproduce it (proof-of-concept welcome);
- your name and how you'd like to be credited, if at all.
Scope
This policy covers this website and SEAES HMS instances operated by SEAES. Please do not test a hospital's on-premises or independently operated deployment without that hospital's explicit permission — those systems are not ours to authorise.
Please do not
- access, modify, delete or exfiltrate real patient or personal data;
- run denial-of-service attacks, spam, or large-scale automated scanning that degrades the service;
- use social engineering, phishing, or physical intrusion against staff or facilities;
- publicly disclose the issue before we have had a reasonable chance to fix it.
Safe harbour
If you make a good-faith effort to follow this policy, we will treat your research as authorised, will not pursue or support legal action against you for it, and will work with you to understand and resolve the issue quickly. This policy does not grant permission to act unlawfully or to harm others' data.
What you can expect from us
- we aim to acknowledge your report within 5 working days;
- we will keep you informed as we investigate and remediate;
- we will credit you for the discovery if you would like us to.
Coordinated disclosure
We ask that you give us a reasonable period to remediate before any public disclosure, and that we coordinate timing together so that clients and patients are protected.