1. Scope
In scope
- All production hostnames operated by askadent under askadent.com.
- The askadent HTTP API exposed at those hostnames.
Out of scope
- Infrastructure operated by third parties on askadent's behalf (hosting, database, payment processing, email delivery, error monitoring, content delivery). Vulnerabilities in those services must be reported to the vendor directly.
- Third-party JavaScript that askadent does not ship.
- Social-engineering attacks against askadent personnel.
- Physical attacks against any infrastructure.
- Denial-of-service testing, load generation, or any activity intended to disrupt service availability.
- Automated-scanner output that does not demonstrate an exploitable impact.
2. Reporting
Vulnerability reports are submitted to security@askadent.com. A complete report includes:
- A description of the issue and the security impact it enables.
- Reproduction steps, including the affected endpoint, request payload, and authenticated state where applicable.
- Whether the testing was conducted against production or a staging environment. Staging credentials may be requested via the contact above.
- An optional name or pseudonym you would like to be credited under in any public acknowledgement (see §6), or "anonymous" to indicate you do not want to be named.
3. Severity classification and response targets
askadent classifies vulnerability reports as follows. Acknowledgement and remediation targets are measured from the date a complete report is received.
| Severity | Definition | Acknowledgement | Remediation target |
|---|---|---|---|
| Critical | Remote code execution; authentication or authorisation bypass; mass exposure of health information; full compromise of clinician or administrator accounts. | 1 business day | Emergency patch, no fixed window |
| High | Targeted account takeover; scoped exposure of identifiable patient information; privilege escalation between roles; cryptographic failures affecting credential or token integrity. | 2 business days | Within 14 days |
| Medium | Stored or reflected XSS without account compromise; information disclosure not involving health information; CSRF on state-changing endpoints; security-relevant logic flaws. | 5 business days | Within 30 days |
| Low | Minor information disclosure; missing or weak security headers; configurations not aligned with current best practice but without an exploitable vector. | 5 business days | Next regular release |
Severity is assessed by askadent in good faith with reference to the report's demonstrated impact. Researchers are welcome to propose a severity in their report.
4. Researcher requirements
By submitting a report under this policy a researcher agrees to:
(a) Access only data that belongs to the researcher or to a test account the researcher has deliberately registered for the purpose of the report. Researchers will not access, modify, or exfiltrate any other data. (b) Refrain from any activity that could disrupt the availability or integrity of the service for legitimate users, including denial-of-service testing, load generation, and bulk scraping. (c) Not perform automated scanning of production without prior coordination via the contact in §7. (d) Maintain confidentiality of the report and any associated material until askadent has remediated the underlying issue or the parties have agreed in writing on a public-disclosure date. The maximum embargo is 90 calendar days from the date the report is first received; higher-severity issues are typically remediated well inside this window.
5. Safe harbour
askadent will not initiate or support legal action against a researcher whose conduct, in good faith, complies with this policy. This commitment is conditional on the researcher:
(a) following the requirements in §4; (b) not accessing, modifying, or exfiltrating data belonging to any other party; and (c) reporting the issue to askadent before any public disclosure.
Where the underlying conduct creates a present and material risk to user safety or to the integrity of the service, askadent reserves the right to involve law enforcement. Where this is necessary, askadent will coordinate with the researcher in advance to the extent practicable.
6. Recognition
At the researcher's election, askadent will acknowledge the report in a published security acknowledgements register once the underlying issue has been remediated. Anonymous reporting is supported. askadent does not currently operate a paid bug bounty.
7. Contact
- Email: security@askadent.com
- Acknowledgement target: 2 business days