Responsible Disclosure Policy

How to report security vulnerabilities to SECUVA

Last updated: April 2026

We welcome security researchers and the broader community to help us maintain the security of our platform. SECUVA was built by cyber security practitioners — we take vulnerability reports seriously, respond quickly, and credit researchers who follow responsible disclosure. If you discover a security vulnerability, please follow the process below.

For questions about our general security architecture and data protection practices, see our Security & Trust page or the Security Policy.

How to Report

Send your report directly to our security team:

security@secuva.com.au
PGP key available on request · encrypted reports preferred for sensitive findings

What to Include

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Screenshots or proof-of-concept code if applicable
  • Your contact information for follow-up questions

Scope

In Scope

  • secuva.com.au and all subdomains
  • SECUVA agent — on-prem binary, update mechanism, signature verification
  • Control plane API — authentication, authorisation, input validation
  • Web console — session management, RBAC enforcement
  • Agent ↔ control plane mTLS — pinning bypass, downgrade attacks
  • Audit log — integrity, tamper detection, chain validation
  • Any component or flow that could expose patient data

Out of Scope

  • Social engineering or phishing attacks against SECUVA staff
  • Physical access to infrastructure or hardware
  • Denial of service or volumetric resource exhaustion
  • Third-party services not operated by SECUVA
  • Findings in customer-operated on-prem environments
  • Vulnerabilities already reported and under active remediation

Researcher Guidelines

  • Make good faith efforts to avoid privacy violations and service disruption
  • Do not access or modify other users' data
  • Report vulnerabilities as soon as possible after discovery
  • Allow us reasonable time to remediate before public disclosure
  • Do not perform testing that could harm our users or services

Our Response

  • Acknowledgment within 24 hours
  • Initial triage and severity assessment within 72 hours
  • Regular progress updates until resolution
  • Public credit for responsible disclosure (if desired)

We do not pursue legal action against researchers who follow these guidelines in good faith. SECUVA practises responsible disclosure itself and holds our own vendors to the same standard.

Ready to report a vulnerability?

Email us directly. We respond within 24 hours.

security@secuva.com.au