Vulnerability Disclosure Policy

Last Updated: 30-09-2025

Our Commitment to Security

As a software company working in the medical field, we take security seriously and welcome reports of potential security vulnerabilities from security researchers, customers, and the public. We are committed to working with the security community to protect our users and improve the security of our software.

Reporting a Security Vulnerability

How to Report

Email: [email protected]

Subject: Security Vulnerability Report

We will acknowledge your report within 2 business days and provide regular updates on our progress.

What to Include

Please provide as much detail as possible to help us understand and address the issue:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and your assessment of the severity
  • Affected systems or software versions
  • Proof of concept or screenshots (if available)
  • Your name and contact information
  • Whether you would like public credit for the discovery

Responsible Disclosure Guidelines

To ensure the safety of our users and allow us time to properly address the issue, we ask that you:

Please Do:

  • Report the vulnerability privately through [email protected]
  • Allow us reasonable time to investigate and fix the issue
  • Work with us in good faith throughout the process
  • Provide additional information if we request it

Please Don't:

  • Access or modify user data without permission
  • Perform testing that could disrupt our services
  • Publicly disclose the vulnerability before we've addressed it
  • Share vulnerability details with others without our permission

What We Consider Security Vulnerabilities

In Scope

We welcome reports about potential security issues in:

  • Authentication and authorization bypasses
  • Unauthorized access to data
  • Code injection vulnerabilities (SQL injection, XSS, etc.)
  • Cryptographic implementation flaws
  • API security vulnerabilities
  • Privacy control bypasses
  • Data exposure or leakage issues

Out of Scope

Please don't report the following as security vulnerabilities:

  • Feature requests or general bugs without security impact
  • Issues requiring physical access to devices
  • Social engineering attacks
  • Denial of service (DoS) attacks
  • Vulnerabilities in third-party software (please report to the vendor)
  • Issues requiring unlikely user interaction

Our Response Process

Timeline

Within 2 business days:

  • We will acknowledge receipt of your report
  • Assign a tracking identifier
  • Provide initial assessment

Within 5 business days:

  • Complete initial technical validation
  • Assess impact and severity
  • Provide a status update

Ongoing:

  • Regular updates on our progress (at least weekly)
  • Coordination on testing and validation
  • Agreement on disclosure timeline

Resolution Timeline

We aim to resolve vulnerabilities according to their severity:

  • Critical vulnerabilities: Patch within 7 days
  • High severity: Patch within 30 days
  • Medium/Low severity: Patch within 90 days

We will keep you informed throughout the process and coordinate with you on the disclosure timeline.

Safe Harbor

We support good faith security research and will not pursue legal action against researchers who:

  • Follow our responsible disclosure guidelines
  • Make a good faith effort to avoid accessing user data, disrupting services, or causing harm
  • Report vulnerabilities through the proper channels
  • Work with us throughout the disclosure process

This safe harbor applies to security research conducted on our systems that complies with this policy.

Recognition

We appreciate the work of security researchers who help us improve our security. With your permission, we will:

  • Acknowledge your contribution on our security page
  • Credit you in security advisories
  • Provide references or recommendations for your work

We do not currently offer monetary rewards or bug bounties.

What Happens After You Report

  1. Acknowledgment: We confirm receipt of your report within 2 business days
  2. Investigation: Our security team validates and assesses the issue
  3. Updates: We provide regular updates on our progress
  4. Resolution: We develop and test a fix for the vulnerability
  5. Disclosure: We coordinate with you on public disclosure
  6. Recognition: We acknowledge your contribution (with permission)

Contact Information

Security Reports: [email protected]

General Inquiries: [email protected]

Website: https://askaletta.com

Response Time: We aim to respond to all security reports within 2 business days.

For urgent security issues that may pose an immediate risk, please clearly mark your email as "URGENT" in the subject line.

Questions?

If you have questions about this policy or the vulnerability disclosure process, please contact us at [email protected].

Thank you for helping us keep our users safe. We appreciate the security research community's efforts to improve the security of medical device software.