Responsible Disclosure Policy
Last updated: 18 May 2026
Security is fundamental to our mission. We value the contribution of security researchers and the wider community in helping us maintain high security standards for our customers and their data. This policy describes how to report a vulnerability responsibly.
Our commitment to researchers
When you report a vulnerability in good faith under this policy, we commit to:
- Acknowledging your report within 5 business days
- Investigating all valid reports promptly and fairly
- Keeping you informed of our progress
- Not pursuing legal action against you for compliant research
- Crediting your contribution (with your consent) after remediation
In scope
The following are in scope for vulnerability research:
- CaladriusHealth.AI web application and API endpoints
- Authentication and authorisation mechanisms
- ABDM integration interfaces (HIP and HIU)
- AI feature security, including:
- Prompt injection attacks that bypass safety controls
- Cross-customer data leakage via AI inference features
- AI output manipulation that could affect billing or claims accuracy
- Attempts to extract Customer Data from AI model outputs
- On-premises software components distributed to Customer organisations
Out of scope
The following are not in scope:
- Social engineering against CaladriusHealth staff or customers
- Physical attacks against our facilities
- Denial-of-service (DoS/DDoS) attacks
- Automated scanning that disrupts service availability
- Third-party systems not owned or operated by CaladriusHealth
- Customer environments (hospitals, clinics) — do not test Customer systems
How to report
Send a report to Connect@caladriushealth.ai with the subject line “Security Vulnerability Report”. Include:
- A description of the vulnerability and its potential impact
- Reproduction steps or proof-of-concept (where possible)
- The systems and components affected
- Your contact information (optional — anonymous reports are accepted)
Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it. Our standard coordinated disclosure window is 90 days.
Disclosure timeline
| Stage | Target |
|---|---|
| Acknowledgement of report | Within 5 business days |
| Initial assessment and severity | Within 15 business days |
| Remediation — Critical / High | Within 30 days of confirmation |
| Remediation — Medium / Low | Within 90 days of confirmation |
| Coordinated public disclosure | After remediation, with researcher’s consent |
If a fix requires more time, we will communicate this and agree an extended timeline with you.
Severity levels
| Severity | Examples |
|---|---|
| Critical | Remote code execution, authentication bypass, full data breach, cross-tenant data access |
| High | SQL injection, privilege escalation, significant data exposure, AI data isolation failure |
| Medium | CSRF, stored XSS, insecure direct object reference (IDOR) |
| Low | Open redirect, informational disclosure, minor misconfiguration |
Safe harbour
We will not pursue legal action against researchers who comply with this policy, do not access or modify Customer Data beyond what is necessary to demonstrate the vulnerability, do not disrupt Service availability, and do not disclose findings to third parties before remediation.
This safe harbour does not extend to activities that violate applicable Indian law, including the Information Technology Act, 2000.