Vulnerability disclosure policy

1. Introduction and Purpose

At GenesisCare, the security of our systems and the privacy of patient data are top priorities. While we invest significant effort in system security, vulnerabilities may still exist. We encourage responsible disclosure to help us protect our patients, staff, and partners.

2. Scope

This policy applies to any system, product, service or website wholly owned by GenesisCare.

This policy does not cover:

• Duplicate or known vulnerabilities identified by internal processes
• Social engineering or phishing attempts
• Weak or insecure SSL ciphers and certificates
• Denial of service (DoS) attacks
• Physical attacks
• Attempts to modify or destroy data
• Clickjacking

3. Reporting a vulnerability

If you discover a potential security vulnerability within any assets of GenesisCare, please notify us so we can investigate, and where necessary, promptly remediate the issue.

To report a vulnerability:

• E-mail your findings as quickly as possible to it-security@genesiscare.com. Provide sufficient information to reproduce the problem (e.g., IP address, URL, description, and steps to reproduce). Complex vulnerabilities may require further explanation.
• Do not exploit a vulnerability or problem you have discovered beyond what is necessary to demonstrate it, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
• Do not publicly disclose the vulnerability, before we have resolved it.
• Do not reveal the problem to others.

4. Our commitment

• We will respond to your report within 5 business days.
• We will handle your report with strict confidentiality and not pass on your personal details to third parties without your permission.
• We will keep you informed of the progress towards resolving the problem.
• With your consent, we will credit you as the discoverer in any public disclosure (see “Recognition” section below).
• We strive to resolve all valid reports as quickly as possible.

5. Recognition

GenesisCare values the contributions of security researchers who help us improve the safety of our systems. While we do not offer financial rewards, we are happy to acknowledge your efforts publicly (with your consent) and may offer a certificate of appreciation or other non-monetary recognition for high-quality, impactful disclosures.

6. Liability

By reporting any vulnerability to GenesisCare you agree to be bound by this policy, and you agree to act in good faith and comply with all applicable laws.

GenesisCare does not authorise or permit any activity that would cause harm to its systems or data, or that would violate privacy or data protection laws.

GenesisCare will not pursue legal action against individuals who report vulnerabilities in good faith and in accordance with this policy.

Limitation of Liability

GenesisCare is not liable for any unintentional harm or disruption caused by your testing, provided you have acted in accordance with this policy. However, you may be liable for any damage caused by actions outside the scope of responsible disclosure.