Security

Security Disclosure Policy

We take the security of CareEZ and SeniorDeli services seriously. If you discover a vulnerability, we want to hear from you.

Last updated: 2026-05-25  ·  RFC 9116 compliant  ·  security.txt

📬 How to Report

Send vulnerability reports by email. Please include a clear description, reproduction steps, affected component, and potential impact. We do not offer a public bug bounty programme at this time, but we will acknowledge your contribution in our Acknowledgments section with your permission.

[email protected]
Email routing pending Cloudflare Email Routing dashboard configuration. Reports will be received once routing is active.

🎯 Coverage

This policy covers all production services operated by Carewells Limited under the CareEZ brand:

careez.org demo.careez.org api.seniordeli.com/v1/classify api.seniordeli.com/v1/thickener api.seniordeli.com/v1/aspiration-risk api.seniordeli.com/v1/compliance

In Scope

  • Authentication and authorization flaws on any covered endpoint
  • Injection vulnerabilities (SQL, command, prompt injection with security impact)
  • Sensitive data exposure or insecure storage
  • Server-side request forgery (SSRF)
  • Broken access control or privilege escalation
  • Security misconfigurations with exploitable impact
  • Cross-site scripting (XSS) with meaningful impact

🚫 Out of Scope

  • Third-party services and infrastructure not controlled by Carewells Limited
  • Denial-of-service attacks
  • Social engineering of Carewells staff
  • Physical security
  • Findings from automated scanners without demonstrated exploitability
  • Missing security headers with no exploitable path
  • Email spoofing / SPF / DMARC issues on non-covered domains

Response SLA

We aim to respond to all reports within the following timelines:

Severity Acknowledgment Triage Fix Target
Critical 48 hours 7 days 30 days
High 48 hours 7 days 60 days
Medium 48 hours 14 days 90 days
Low / Info 48 hours 30 days Best effort

We will keep you informed of progress and notify you when the issue is resolved. We request a 90-day coordinated disclosure window before public disclosure.

🛡 Safe Harbor

Carewells Limited will not pursue legal action against researchers who discover and report security vulnerabilities in good faith, provided that:

  • You do not access, modify, or destroy data that is not yours
  • You do not disrupt production services or degrade service quality
  • You do not exploit the vulnerability beyond what is necessary to demonstrate it
  • You report the vulnerability to us promptly and do not disclose it publicly before we have had a reasonable opportunity to address it
  • You act in good faith and in compliance with applicable laws

We consider responsible security research a valuable contribution to the safety of our users. We will work with you to understand and address issues promptly.

🔑 PGP Key

A PGP key for encrypted communication with [email protected] will be published here. In the interim, please submit reports via email and we will follow up securely.

🏅 Acknowledgments

No acknowledgments yet. Be the first to responsibly disclose a vulnerability and we will thank you here.