Security Disclosure Policy
obeliOmed handles sensitive healthcare data. We take security vulnerabilities seriously and appreciate responsible disclosure from security researchers.
How to report a vulnerability
Email: security@obeliomed.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Affected component(s) and version(s)
- Potential impact assessment
- Any proof-of-concept code (optional but helpful)
We accept reports in Spanish or English.
Response SLA
| Stage | Timeline |
|---|---|
| Acknowledgement of receipt | Within 48 hours |
| Initial assessment | Within 5 business days |
| Status update | Every 7 days until resolved |
| Fix + disclosure | Within 90 days of confirmed vulnerability |
For critical vulnerabilities (CVSS >= 9.0) affecting patient data, we aim for a fix within 30 days.
Scope
In scope:
docs.obeliomed.comand all obeliOmed subdomains- obeliOmed plugins (all repos under
github.com/obeliOmed) - Authentication and authorisation logic
- Patient data handling and storage
- API endpoints (where applicable)
- Third-party integrations (WhatsApp, email providers) as used by obeliOmed
Out of scope:
- FacturaScripts core (report to the FacturaScripts project directly)
- Third-party libraries (report to the upstream maintainer)
- Vulnerabilities requiring physical access to the server
- Social engineering attacks against clinic staff
- Denial-of-service attacks
Responsible disclosure commitment
If you follow this policy, we commit to:
- Not pursue legal action against you for good-faith research
- Acknowledge your contribution in our security hall of fame (if you wish)
- Keep you informed of the remediation timeline
- Coordinate the public disclosure timeline with you
Hall of fame
We publicly thank security researchers who responsibly disclose vulnerabilities to us. (No reports yet — be the first!)
Encryption
You may encrypt your report with our PGP key. Contact security@obeliomed.com to request the current public key fingerprint.