Responsible Disclosure

Our software is used in healthcare, where the protection of patient data and the continuity of systems are of crucial importance. Therefore, we take security reports extremely seriously. If you discover a vulnerability in one of our systems, we ask you to report it to us confidentially so that we can resolve the issue before it is exploited.

To enable a careful follow-up, we request that you:

• Report the vulnerability as soon as possible and exclusively to us via the email address below.
• Provide sufficient information to reproduce the problem — a clear description, steps to trigger the vulnerability, and (if applicable) screenshots or a proof-of-concept.
• Do not exploit the vulnerability, for example by viewing, modifying, or deleting data, or by affecting the availability of systems.
• Do not share information with third parties until the problem has been resolved by us.
• Act carefully so that patients, healthcare providers, or other stakeholders are not inconvenienced.

We will send you an acknowledgment of receipt within 1 working day.

• We treat your report confidentially and do not share your data with third parties without permission.
• We will keep you informed of the progress of the solution.
• We strive to resolve the issue within a reasonable timeframe, depending on its severity and complexity.
• If you adhere to the guidelines above, we will not take legal action regarding your report.
• For a serious, responsibly reported vulnerability, we will mention your name in our Hall of Thanks — unless you wish to remain anonymous.

The following findings are outside the scope of this policy:

• Attacks requiring physical access to equipment.
• Social engineering or phishing of employees or customers.
• Denial-of-service attacks (DoS/DDoS).
• Vulnerabilities in third-party software that we do not manage.
• Findings related solely to outdated browsers or operating systems that are no longer supported.

Email findings to: security@themedguidecompany.com