Navigation

Responsible Disclosure

Sep 17, 2025

At smartQare, we take the security and privacy of our patients and users seriously. We value the contribution of security researchers and ethical hackers in helping us maintain a safe digital environment.

If you discover a vulnerability in any of our systems, we ask that you report it to us responsibly, so we can investigate and take the necessary steps to address it.


Scope

This policy applies to physical smartQare devices and all systems and services under the smartqare.com and smartqare.cloud domains, including our web applications, APIs, and related infrastructure.

This policy does not apply to third-party services, physical devices, and systems not owned or managed by smartQare.


How to Report

Please send your findings to: info@smartqare.com


Please include:

  • A detailed description of the vulnerability.
  • Steps to reproduce the issue.
  • The potential impact.
  • Any supporting materials (screenshots, proof-of-concept code).

There is a likelihood that during your investigation, you may perform acts that are punishable under criminal law. If you have complied with the conditions below, we will not take any legal action against you regarding the report. The safety of our patients is more important.

Anonymous or pseudonymous reporting is possible. However, please note we will be unable to contact you about  the next steps, or the progress of resolving the leak and publication.


Rules of Engagement

When researching, please:

  • Do not disrupt our services.
  • Do not modify or delete data.
  • Be extra cautious in the case of personal data.
  • Avoid privacy violations. 
  • Respect applicable laws at all times.


Not an invitation to active scanning

Our responsible disclosure policy is not an invitation to actively scan our network for weaknesses.


Our Commitment

  • We will acknowledge receipt of your report within 5 business days.
  • We will investigate and aim to resolve the issue within a reasonable timeframe (usually 90 days) – but critical vulnerabilities should be fixed in days.
  • We will keep you informed of our progress.
  • We want to credit you (with your permission), let us know your preferences.

Note that trivial issues without a security impact might not be acknowledges (e.g. 404 errors, scan dumps) 


Disclosure Policy

Please do not publicly disclose any vulnerability before it has been fixed and you have received our confirmation. Coordinated disclosure helps protect our patients and systems. 
Please note partial disclosure might be required to meet legal and regulatory obligations.