ENDEES中文
Sign in Contact

Home  /  Vulnerability Disclosure

Security

Vulnerability Disclosure Policy

apoQlar GmbH takes the security of its products and services seriously. We value the work of the security research community and welcome good-faith reports of vulnerabilities that help us protect our users, our hospital partners, and the patients they serve.

How to report

Please send vulnerability reports by email to security@apoqlar.com. To help us triage quickly, include where possible:

  • a clear description of the vulnerability and its potential impact;
  • the affected URL, endpoint, product or component;
  • step-by-step instructions to reproduce it (proof of concept);
  • any tools, payloads or accounts used during testing.

If you wish to send sensitive details encrypted, contact us first at security@apoqlar.com and we will share a public key.

Scope

This policy covers the websites and online services operated by apoQlar GmbH, including apoqlar.com and the HoloMedicine® web platform and portal. Third-party services we rely on (e.g. hosting, analytics) are governed by their own programs and policies.

Safe harbor

We consider security research and vulnerability disclosure conducted in line with this policy to be authorized. We will not pursue or support legal action against researchers who act in good faith and adhere to the guidelines below. If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.

Guidelines

When researching, please:

  • act in good faith and avoid any privacy violation, degradation or interruption of our services;
  • use only your own test accounts and data - do not access, modify or delete data that does not belong to you;
  • never access, store, or exfiltrate patient or personal data. If you encounter such data, stop immediately and report it to us;
  • do not run denial-of-service tests, send spam, or perform social engineering, phishing, or physical attacks against our staff, partners, or facilities;
  • give us a reasonable time to investigate and remediate before disclosing publicly (coordinated disclosure);
  • comply with all applicable laws, including data-protection law.

Our commitment

  • We aim to acknowledge your report within 3 business days.
  • We will keep you informed of our progress as we validate and remediate the issue.
  • With your permission, we are happy to credit you once the issue is resolved.

Out of scope

The following are generally not eligible unless a concrete, exploitable impact is demonstrated: reports generated solely by automated scanners; missing security headers or best-practice recommendations without a working proof of concept; rate-limiting or brute-force findings; clickjacking on pages without sensitive actions; and social-engineering attacks.

Rewards

apoQlar does not currently operate a paid bug-bounty program. We sincerely appreciate every responsible disclosure and are glad to acknowledge researchers who help keep our users safe.

Contact

Security reports: security@apoqlar.com
Machine-readable details: /.well-known/security.txt