Responsible disclosure
Report a vulnerability
We welcome reports from security researchers. If you believe you have found a vulnerability in Veona, tell us and we will work with you to confirm and resolve it.
How to report
Send us the details
- Email security@veonahealth.com with a clear description.
- Include steps to reproduce, affected components, and potential impact.
- Give us reasonable time to investigate and remediate before public disclosure.
- Do not access, modify, or delete data that is not yours.
Safe harbor
Good-faith research is welcome
We will not pursue or support legal action against researchers who act in good faith, follow this policy, avoid privacy violations and service disruption, and give us a reasonable chance to fix the issue before disclosure. If in doubt about whether an action is allowed, ask us first.
In scope
- The Veona platform and its web application.
- Authentication, authorisation, and session handling.
- APIs and integrations that are part of a Veona deployment.
- Data exposure, injection, and access-control flaws.
Out of scope
- Denial-of-service and volumetric attacks.
- Social engineering of Veona or facility staff.
- Physical attacks against facilities or infrastructure.
- Automated scanner output without a demonstrated, exploitable impact.
- Testing against live production data or facilities you are not authorised to test.
What to expect
Response targets
We aim to acknowledge verified reports on the timelines below and will keep you updated through remediation.
Critical Acknowledge rapidly and begin remediation immediately.
High Acknowledge within one business day.
Normal Acknowledge within a few business days.