Security & Vulnerability Disclosure
Last updated: July 2026
Reporting a vulnerability
EzerHeal handles sensitive health data, and we take security seriously. If you believe you have found a security vulnerability in our website, mobile apps, or backend, please report it to us privately so we can fix it before it is disclosed publicly.
Please report through one of these channels:
- Email: [email protected]
- GitHub Security Advisory: open a private advisory
Please include enough detail to reproduce the issue (affected URL or screen, steps, and impact). Do not include real patient data in your report.
Our commitments
For reports made in good faith under this policy, we commit to:
- Acknowledging receipt of your report within 72 hours.
- Keeping you informed of our remediation progress.
- Not pursuing legal action against researchers who follow this policy in good faith and avoid privacy violations, data destruction, and service disruption.
In scope
- ezerheal.com and its subdomains (*.ezerheal.com)
- The EzerHeal Android and iOS apps published under com.ezerheal.*
- Our Supabase backend project (authenticated testing against your own test account only)
Out of scope
- Social engineering of EzerHeal staff or partner doctors, pharmacies, or labs
- Denial-of-service or volumetric / traffic-flooding attacks
- Physical security of partner clinics or kiosks
- Any activity that would access, expose, or exfiltrate real patient data (PHI)
- Automated scanning that degrades service for real users
Acknowledgments
We are grateful to the security researchers who help keep EzerHeal and its users safe. With your permission, we will recognise valid, responsibly disclosed reports here once our disclosure programme is active. This list is currently empty as we are pre-launch.
Machine-readable policy
Our security contact details are also published at /.well-known/security.txt (RFC 9116).