Security
We take the security of OpenBook Clinical seriously. If you believe you have found a security vulnerability, we want to know about it. This policy explains how to report a vulnerability responsibly and what you can expect from us in return.
Acknowledge within
2 business days
Critical fix target
14 calendar days
Aligned with
ACSC guidelines
This policy applies to security vulnerabilities in OpenBook Clinical's own infrastructure and code. We welcome reports on any of the following:
✓ In scope
✗ Out of scope
If you discover a vulnerability in a third-party service we use (Vercel, Supabase, Stripe), please report it directly to that provider under their own vulnerability disclosure programme.
Please email your report to our security team. Do not post vulnerability details publicly until we have had a chance to investigate and issue a fix.
Please include in your report:
Steps to reproduce
A clear, step-by-step description of how to reproduce the vulnerability. Include any tools, URLs, or request payloads needed.
Affected URL or component
The specific endpoint, page, or component where the vulnerability exists. Include the full URL where applicable.
Potential impact
Your assessment of what an attacker could achieve by exploiting this vulnerability — e.g. data exfiltration, account takeover, session hijacking.
Evidence (optional but helpful)
Screenshots, HTTP request/response logs, or a proof-of-concept that demonstrates the issue. Please do not exfiltrate real user data — use your own test account.
When you report a vulnerability to us in good faith, we commit to the following:
Fix timelines are targets, not guarantees. Complex vulnerabilities may take longer to remediate safely. We will always keep you informed if timelines need to change.
To qualify for safe harbour and recognition, we ask that researchers comply with the following:
Do not access or exfiltrate user data
If you discover a vulnerability that could expose user data, do not retrieve, copy, or store that data. Demonstrate exploitability using your own test account only.
Do not disrupt production services
Do not conduct testing that could degrade performance or availability for our users. Do not perform load or stress testing. If you need to test at scale, contact us first.
Do not social-engineer our users or staff
Do not attempt to obtain credentials, access, or information through deceptive means. Social engineering is out of scope and will not be treated as good-faith research.
Allow reasonable time for remediation
Please allow us at least 14 calendar days from initial acknowledgement before any public disclosure. We will work with you on coordinated disclosure timing.
Report only to us
Please report vulnerabilities exclusively to us at openbookclinical@gmail.com and do not share them with third parties, broker vulnerability markets, or publish publicly before coordinated disclosure.
OpenBook Clinical supports responsible security research. If you conduct security research in good faith, in accordance with this policy, we will not:
Important caveat
This safe harbour applies only to research conducted in accordance with this policy. It does not apply to activities that go beyond the scope of good-faith research, including but not limited to: deliberate exfiltration of user data, disruption to production services, social engineering, or disclosure to third parties before coordinated disclosure.
This policy is modelled on the Australian Cyber Security Centre (ACSC) Vulnerability Disclosure Policy framework. We are committed to acting in good faith with researchers who act in good faith with us.
We genuinely appreciate the effort researchers put into identifying and responsibly disclosing security vulnerabilities. As a token of our appreciation:
Hall of Fame
With your consent, we list researchers who report valid vulnerabilities in our Security Hall of Fame. Your name, the date of your report, and a brief description of the issue (without sensitive technical detail) will be included.
View Hall of Fame →Anonymity
If you prefer to remain anonymous, we will always respect that. Just let us know in your initial report and we will acknowledge your contribution without disclosing your identity.
Get in touch
If you have questions about this policy or are unsure whether your planned research is in scope, please reach out before you begin testing. We would rather answer a question than investigate an unintended incident.