As a provider of secure software, services, and research, Sibel Health takes security issues seriously
and recognizes the importance of privacy, security, and community outreach. As such, Sibel Health is
committed to addressing and reporting security issues. This policy outlines how to report vulnerabilities,
what to expect in response, and how we will handle them.

This policy applies to vulnerabilities identified in any system or service operated by Sibel Health.

 

Reporting security issues

If you believe you have discovered a vulnerability in a Sibel Health product or have a security concern
you would like to report, please report it to us following these steps:

Email: Send a detailed report to security@sibelhealth.com. If you feel the need, please use our
PGP public key to encrypt your communications with us.

Information to include
A detailed description of the vulnerability, including

● Product or service name, URL, and affected versions.
● Operating system of involved components.
● Software configuration of the computer or device at the time of discovery.
● Class or type of vulnerability (e.g., using a taxonomy like CWE).
● Time and date of discovery.

Steps to reproduce the issue

● Technical description of actions performed, order and result.
● PoC code/Tools used to produce the vulnerable behavior.

Potential impact and severity estimate, If available.
Potential root cause, If available.
Scope assessment, other products, components, services, or vendors thought to be affected, If
available.
Disclosure plans, specifically embargo and publication timelines, If available.

Our Commitment

When a vulnerability is reported to Sibel Health, we commit to:
○ Acknowledgement of receipt of your report within 7 business days.
○ Assess and verify the legitimacy of the vulnerability.
○ Categorize the severity of the vulnerability based on potential impact.
○ Develop a remediation plan based on severity and implement a fix.
○ Provide an estimated timeline for remediation.
○ Communicating progress throughout the remediation process through email
○ Advisory communication with remediation following our internal vulnerability management
procedure.
○ Treating each report confidentially and not disclosing it to third parties without consent.
○ Disclose vulnerabilities in release notes of updates.

Out of Scope

Not all issues will be in the scope of Sibel’s vulnerability disclosure process, including:
● Reports of missing security headers that do not lead to significant impact or performance degradation.
● Outdated platform-specific issues.
● Social engineering attacks or physical vulnerabilities (e.g. office security).
● Issues with third-party services not managed by Sibel Health.

Recognition

Sibel Health greatly appreciates the efforts of security researchers and discoverers who share
information on security issues that help to improve our products and services and better protect our
customers. If you wish to be recognized (or prefer to remain anonymous), please let us know. Sibel
Health neither provides financial compensation for disclosing vulnerabilities nor engages in a bug
bounty program.

 

Public PGP Key

—–BEGIN PGP PUBLIC KEY BLOCK—–
mDMEZt+KghYJKwYBBAHaRw8BAQdAi5TvQjkUR+3OeAwyRzck68CXwJB48cyT2agM
QDJlp4a0LEpvbmcgWW9vbiBMZWUgPGpvbmd5b29uLmxlZUBzaWJlbGhlYWx0aC5j
b20+iJMEExYKADsWIQSr1EgI/KSP5svTwCruWcLTCBvB8QUCZt+KggIbAwULCQgH
AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRDuWcLTCBvB8XQlAQDd4uf8JftUfefR
GLOC2nKNkyEvHTfxghCFrGTCl1GXLQEAmleqy8ZNKUqdb2dO0SvxnQtNqmFyNe1M
pklTAPJVfgi4OARm34qCEgorBgEEAZdVAQUBAQdAGM5w5lJozi/X8rJP6xmIvP5t
uJ8Xc0b/s6slT+ZfKRADAQgHiHgEGBYKACAWIQSr1EgI/KSP5svTwCruWcLTCBvB
8QUCZt+KggIbDAAKCRDuWcLTCBvB8Z9HAQCwDhcB8kCZQxxSyPLEon6mL+HB8leD
R49iMPOmdkyeDAD+Ku1Of1fUSP4e/ShmtcnjEF7d7RcA+NqbNAOLtWztIwg=
=F/DG
—–END PGP PUBLIC KEY BLOCK—–

Scroll to Top