Responsible Disclosure
Last reviewed: May 2026
Regenemm Healthcare takes security reports seriously.
If you believe you have found a vulnerability affecting Regenemm Healthcare, please report it privately so we can investigate and remediate it safely.
Scope
Reports should describe suspected vulnerabilities affecting Regenemm systems, public pages, integrations, or authorised test environments.
In-scope report categories may include:
- authentication or authorisation weaknesses;
- access-control issues;
- unintended disclosure risks;
- insecure direct object references;
- credential exposure;
- sensitive logging or telemetry concerns;
- misconfigured public pages or repositories;
- vulnerabilities in authorised test environments;
- agentic workflow boundary concerns;
- audit or release gate bypass concerns.
Reports should include enough information to reproduce or understand the issue without exposing patient data, clinical records, production secrets, or live service availability.
How to Report
Send reports to:
Please include:
- affected system, product, or URL;
- description of the issue;
- reproduction steps;
- potential impact;
- whether patient data, clinical data, credentials, or audit records may be affected;
- your contact details for follow-up.
What We Ask
Security research must not access, modify, disclose, or disrupt patient data, clinical records, live care workflows, or production systems.
The following activities are not authorised through this document:
- accessing patient-identifiable information;
- modifying clinical records;
- interrupting care workflows;
- social engineering staff, patients, providers, or partners;
- phishing;
- physical security testing;
- denial-of-service testing;
- destructive testing;
- exfiltrating secrets, tokens, or credentials;
- persistence, malware, or lateral movement;
- testing third-party systems without their authorisation.
Please do not publicly disclose the issue before Regenemm has had a reasonable opportunity to investigate and respond.
If research unexpectedly exposes sensitive information, the researcher should stop, avoid further access, preserve only the minimum safe evidence needed to report the issue, and notify Regenemm through the approved reporting pathway.
Reports must not include real patient records, unredacted secrets, credentials, or unnecessary sensitive content.
What Regenemm Will Do
Regenemm will review valid reports, assess severity, prioritise remediation, and keep appropriate records of the issue and response.
Regenemm's intended response posture is to triage good-faith reports, assess patient and system risk, preserve relevant evidence, remediate confirmed issues, and communicate within defined response expectations.
Where a report indicates possible exposure of personal information, health information, credentials, or clinical workflow data, Regenemm will assess the matter under its incident and breach-response processes.
Security, privacy, clinical governance, and incident-response reviewers may be involved depending on the nature of the report.
Good-Faith Research
Regenemm supports responsible security research conducted in good faith and without harm to patients, clinicians, customers, or platform operations.
This policy does not authorise testing that would compromise patient safety, privacy, availability, or legal obligations.