Responsible Disclosure Policy

Acules takes the security of our platform seriously. We are committed to protecting the personal and health-related information of our users and partner hospitals. We value the contributions of independent security researchers who help us maintain a secure platform.

If you believe you have discovered a security vulnerability in any Acules system, we encourage you to report it to us responsibly so we can address it quickly and protect our users.

This policy applies to security vulnerabilities discovered in:

• The Acules web application at acules.com and acules.net
• The Acules API (api.acules.com)
• Mobile applications published by Acules, Inc.
• Any subdomain operated by Acules

This policy does not apply to services or systems operated by our hospital partners, third-party vendors, or any infrastructure not controlled by Acules.

The following types of reports are out of scope and will not be eligible for recognition:

• Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
• Social engineering attacks targeting Acules employees or contractors
• Physical attacks against Acules offices or infrastructure
• Attacks requiring physical access to user devices
• Reports involving exploitation of vulnerabilities in third-party systems not maintained by Acules
• Automated scanning reports without manual validation
• Low-severity issues such as missing HTTP security headers (without demonstrated exploitability), rate limiting on non-critical endpoints, or minor information disclosures

To report a vulnerability, please email:

security@acules.com

Please include in your report:

• Description: A clear description of the vulnerability and the potential impact if exploited.
• Steps to reproduce: Step-by-step instructions to reproduce the vulnerability, including any tools, payloads, or configurations required.
• Potential impact: Your assessment of the severity and potential business or user impact.
• Contact details: How to reach you for follow-up (optional).
• Screenshots or proof-of-concept: If applicable, supporting evidence that confirms the vulnerability.

Please do not include any sensitive personal data belonging to Acules users in your report. If you encounter personal data during your research, stop immediately and include only the minimum necessary information to document the vulnerability.

After submitting a report, you can expect:

• Acknowledgment within 48 hours: We will confirm receipt of your report within 48 business hours.
• Initial assessment within 7 days: We will provide an initial assessment of the vulnerability, including a preliminary severity determination.
• Fix timeline: We will communicate an expected fix timeline based on severity. Critical vulnerabilities are prioritized for immediate remediation.
• Public credit (optional): If you would like public recognition for your report, we will credit you in our security acknowledgments upon resolution, unless you prefer to remain anonymous.

Acules will not pursue civil or criminal legal action against security researchers who comply with this policy in good faith. We consider responsible disclosure activity to be authorized under this policy, provided that:

• You do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability.
• You do not disclose the vulnerability publicly before we have had a reasonable opportunity to address it (typically 90 days).
• You do not perform actions that could harm Acules users, degrade our services, or cause business disruption.
• You do not demand payment or threaten to disclose without consent.

If you have questions about whether a specific activity is covered under this policy before proceeding, please contact us at security@acules.com.

Security reports: security@acules.com

General inquiries: support@acules.com