Security Program

Our customers trust us to act as a custodian of sensitive patient and customer information. We are honoured to have that trust placed in us and consequently take our responsibility to protect that information extremely seriously. We use our Privacy and Security Programs to ensure the confidentiality, availability and integrity of information. Our Security Team runs our Security Program and maintains this page for stakeholders interested in the Security Program. Please contact the security team by emailing security@cardihab.com if you have any questions or concerns that are not addressed in our Frequently Asked Questions (FAQ).

Vulnerability Disclosure

Cardihab welcomes the responsible disclosure of vulnerability reports from anyone who finds a security issue with our products. We look forward to working with the security community to resolve security vulnerabilities so we can keep patient information safe and continuously improve our security practices.

How to Submit your Report

  1. Please send your report to security@cardihab.com (preferably encrypted with our public PGP key).
  2. Be sure to include relevant details in the report, such as platform, app/server version, necessary conditions for the exploit to work, a description with proof of concept or exploit code, the impact of the issue if exploited, etc.
  3. Do not contact individual Cardihab staff directly.
  4. Report only one vulnerability per email.

If we have any questions related to the report, we’ll be sure to let you know.

Response Targets

Cardihab will make a best effort to meet the following response targets for researchers contributing to our program:

  • Time to first response (from report submit) - 5 business days
  • Time to triage (from report submit) - 20 business days

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Cardihab appreciates all the help it can get to keep the patient data safe and improve our security. However, please do not:

  • Violate any laws.
  • Socially engineer our employees, customer support team, patients or customers.
  • Access, modify, or reveal or damage the account or data of Cardihab customers.
  • Damage or compromise the integrity of our system.
  • Run tools that degrade our services for our customers.
  • Openly disclose vulnerabilities without the consent of Cardihab.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

  • Denial of Service vulnerabilities (DoS)
  • Attacks requiring MITM or physical access to a user's device.
  • Security bugs in third-party sites and software that integrate with our products
  • Insecure cookie handling
  • Spam or social engineering techniques
  • Issues related to email spoofing

Release Cycle

Cardihab's backend can be deployed every day, while our iOS and Android apps can be released within a few days.

Safe Harbour

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keeping patient data safe!