Security
Vulnerability Disclosure
We value the security research community and welcome responsible disclosure of vulnerabilities that affect Elderwise systems and services.
Scope
This vulnerability disclosure policy applies to the following systems and services:
In Scope
- elderwise.ai and all subdomains
- Elderwise Caregiver App (iOS and Android)
- Elderwise Clinical Platform (web application)
- Elderwise API endpoints
- Authentication and authorisation systems
Out of Scope
- Third-party services and integrations not operated by Elderwise
- Social engineering attacks against Elderwise employees
- Physical security of Elderwise offices or data centres
- Denial of service (DoS/DDoS) attacks
- Spam or phishing campaigns
Rules of Engagement
When conducting security research on Elderwise systems, you must adhere to the following rules:
- Do not access, modify, or delete data belonging to other users. Use only accounts you own or have explicit authorisation to test.
- Do not disrupt services. Avoid actions that could degrade the availability or performance of our systems, including automated scanning at high volume.
- Do not publicly disclose vulnerability details until we have had a reasonable opportunity to investigate and remediate the issue (minimum 90 days from initial report).
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue. Provide a minimal proof of concept.
- Comply with all applicable laws. Do not engage in any activity that would violate Singapore law, the Computer Misuse Act, or any other applicable jurisdiction's laws.
- Protect privacy. Given the healthcare nature of our platform, take extreme care to avoid accessing or exposing protected health information (PHI) or personal data.
Reporting Process
To report a vulnerability, please follow these steps:
Submit Your Report
Send an email to security@elderwise.ai with a detailed description of the vulnerability. Include steps to reproduce, affected systems, and your assessment of the potential impact.
Acknowledgement
We will acknowledge receipt of your report within two (2) business days and provide a tracking reference number for your submission.
Investigation
Our security team will investigate the reported vulnerability. We may contact you for additional information or clarification. We aim to validate reports within ten (10) business days.
Remediation
We will work to remediate confirmed vulnerabilities according to their severity. Critical issues will be addressed within 72 hours, high-severity within 30 days, and medium/low severity within 90 days.
Notification
Once the vulnerability has been remediated, we will notify you of the resolution and, with your permission, acknowledge your contribution.
Recognition
We appreciate the efforts of security researchers who help us keep our users safe. Researchers who report valid vulnerabilities in accordance with this policy may receive:
- Public acknowledgement on our Security Hall of Fame (with your consent)
- A letter of recognition for your contribution
- Early notification of security updates and new features
We are currently developing a formal bug bounty programme with monetary rewards. Details will be announced on this page when the programme launches.
Safe Harbour: Elderwise will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, following the rules outlined in this policy. We consider security research conducted in accordance with this policy to be authorised and will not pursue civil or criminal action.
Contact
For security reports and questions about this disclosure policy:
Elderwise Security Team
Email: security@elderwise.ai
PGP Key: Available upon request
Web: Contact Form