ABAStroke Vulnerability Disclosure Policy

1. Purpose

If you identify a potential security vulnerability related to ABAStroke, please report it directly to our team.

The purpose of this policy is to provide a responsible way to share information about security issues, so that we can assess the risk and take appropriate action.

2. How to report a vulnerability

Please send security reports to:

tech@abastroke.com

If your report contains technical or sensitive information, we recommend encrypting your message with our public PGP key:

https://abastroke.com/.well-known/pgp-publickey.asc

Using PGP is recommended but not required. If you cannot encrypt your message, you may still send your report to the email address above.

3. What to include

To help us analyze the report, please include, where possible:

• a description of the issue,
• steps needed to reproduce the issue,
• information about the affected part of the system, such as the mobile application, backend, website or infrastructure,
• the potential impact, if known,
• contact details for follow-up communication.

If you do not have all of this information, you are still encouraged to submit the report.

4. How we will respond

After receiving a report, we will try to:

• confirm receipt within a reasonable time,
• assess whether the reported issue is security-related,
• ask for clarification if needed,
• plan remediation actions according to the level of risk.

We do not guarantee that every report will be resolved within a specific timeframe, but we treat security reports as a priority.

5. Responsible disclosure rules

Please report vulnerabilities responsibly:

• do not publicly disclose details of the vulnerability before receiving our response or before the agreed time for analysis and response has passed,
• do not take actions that could affect service availability, data integrity or user privacy,
• do not attempt to access data, accounts or resources that do not belong to you,
• limit testing to the minimum necessary to confirm the issue.

6. Disclosure timeframe

As a general rule, we ask you to give us time to analyze the vulnerability and implement remediation actions before public disclosure.

We use a period of up to 90 days from confirmation of a complete report, unless the nature of the issue justifies a different timeframe.

In specific cases, the timeframe may be agreed differently.

7. Protection of the reporter

If the reporter acts in good faith, solely to responsibly inform us about a vulnerability, and follows this policy, ABAStroke will generally not seek action against that person solely because of the report itself.

This does not apply to situations involving:

• unlawful activity,
• intentional access to patient data, user data or other confidential data,
• disruption of services,
• use of the vulnerability beyond what is necessary to confirm it,
• actions causing harm to users, partners or ABAStroke.

8. What this channel is not for

This channel is only for reporting security vulnerabilities. It is not intended for:

• technical support issues unrelated to security,
• complaints,
• matters related to access to therapy,
• sending medical data or patient documentation.

Such matters should be directed through ABAStroke's standard contact channels.

9. Disclaimer

Publication of this policy does not constitute an invitation to conduct broad penetration testing, infrastructure scanning or any other activities beyond responsible and limited confirmation of a potential vulnerability.

ABAStroke may update this policy.