Security disclosure policy

Last updated: 2026-05-18

Our commitment

EuroClinics SL welcomes responsible reports of security vulnerabilities and operates a coordinated vulnerability disclosure (CVD) programme aligned with ISO/IEC 29147:2018 and the Directive (EU) 2022/2555 (NIS2) requirements for coordinated disclosure.

Any system at the domains euroclinics.net, *.euroclinics.net is in scope, plus the mobile apps once released. Acıbadem-style or partner-operated sub-domains (when partner-controlled) are out of scope unless we explicitly include them.

How to report

Email: security@euroclinics.net

PGP key + security.txt: /.well-known/security.txt

Please include: a concise description, affected URLs / endpoints, reproduction steps, screenshots or PoC, and any suggested mitigation. Do NOT include real patient data — use a test account or describe the issue abstractly.

Our response

Acknowledgement: within 24 business hours.

Triage + severity assignment (CVSS 4.0): within 5 business days.

Fix targets — Critical: 7 days · High: 30 days · Medium: 60 days · Low: 90 days.

Public disclosure: coordinated within a 90-day window from triage, extendable by mutual agreement.

CVE assignment requested where applicable.

Safe harbour

Provided you act in good faith and within the rules below, EuroClinics SL will not pursue civil or criminal action against you and will not authorise any action against you under the Computer Fraud and Abuse Act-equivalent statutes (e.g. art. 197 ff. Código Penal in Spain, §202a StGB in Germany).

Rules: do not access more data than necessary to demonstrate the issue; do not exfiltrate, modify, or destroy data; do not disrupt service; do not attempt social-engineering or physical attacks; do not test on production patient accounts.

Bug bounty

Discretionary rewards for novel, high-impact reports — typical range €100 to €5,000 (Critical with full exploit chain).

Public hall-of-fame for contributors who consent.

Bounties paid via SEPA / Wise; cryptocurrency available for researchers in jurisdictions where banking is impractical.

Out of scope

Issues already publicly disclosed, denial-of-service, social engineering of staff, physical intrusion, third-party services where we are not the responsible party, and theoretical issues without practical impact.

Self-XSS, clickjacking on pages without sensitive actions, missing security headers without demonstrable exploit — accepted but typically not rewarded.

Reporting an actual breach (NIS2 / GDPR)

If you believe you have evidence of an actual data breach (not just a vulnerability), please mark your email subject "[BREACH-NOTIFY]". Such reports trigger our incident-response procedure and may invoke GDPR Art. 33 (72-hour DPA notification) and NIS2 Art. 23 (24-hour CSIRT notification).