Security at nursIT Institute

The security of our software and the data that our customers entrust to us is a key concern for us. CareIT Pro is used in hospitals and processes particularly sensitive health data. We welcome feedback from security researchers to help us make our platform more secure.

Brief overview

Report a vulnerability

If you have discovered a vulnerability, a weakness in our implementation, or a configuration issue in any of our systems or products, please share it with us confidentially. Here is how to proceed:

1. Send an email to security@nursit-institute.com. If your report contains particularly sensitive information, please let us know in advance so that we can agree on a suitable transmission channel together.
2. Describe what you observed as precisely as possible: affected URL or component, the method or calls you used, observed behavior, and potential impact.
3. If possible, include reproduction steps. Screenshots alone, without a reproduction path, are often hard to evaluate.
4. Please give us a reasonable amount of time (at least 30 days) before disclosing the finding publicly or to third parties. We recommend the internationally accepted window of 90 days.

Our response times:

• Acknowledgment of receipt: within three working days
• Initial technical assessment: within ten working days
• Status update during ongoing work: at least every 14 days, more frequently for acute findings

Safe testing

When testing our publicly accessible systems, please keep the following in mind:

• No disruption of running operations: no denial-of-service attempts, no automated scanning at a frequency that slows down our services.
• No data extraction beyond the minimum needed: as soon as you have identified a security issue, report it. Targeted exfiltration or browsing of personal data is not permitted.
• No data manipulation: if you wish to perform a write operation to demonstrate a finding, please coordinate that with us in advance.
• Social engineering and physical attacks are outside the scope of this policy.
• Observe applicable law. This policy does not release you from responsibility for your own actions; it only defines the framework within which we respond to reports.

Details, including scope and a safe-harbor statement, are in our disclosure policy.

Scope

This policy covers:

• the publicly accessible websites and services of NursIT Institute GmbH
• the demo and sandbox environments under *.careit.one
• the mobile applications and APIs that we offer publicly

The following are out of scope:

• Third-party software that we use but do not develop ourselves (e.g. cloud providers, identity providers, Smile CDR as a purchased FHIR server). For findings concerning these systems, please contact the respective vendor directly.
• Production installations at our customers in their hospitals. These are not publicly accessible and are governed by the security regime of the respective clinic. If you have findings there, please contact the hospital in question directly.

What we commit to

• We take every report seriously and confirm receipt to you within three working days.
• We will respond in German or English.
• We will not pursue legal action against security researchers who acted in good faith within the framework of this policy. Details are in our disclosure policy.
• On request, we will name you in our hall of fame. If you prefer to remain anonymous, we respect that.

Note on the bug bounty

We currently do not operate a bug bounty program. We are unfortunately unable to compensate reports financially. We try to acknowledge security researchers through our hall of fame, a personal thank-you note, and, where appropriate, community recommendations.

Contact for other security issues

For other matters relating to data protection and the security of our products (e.g. as a customer, processor, auditor): [general contact address, e.g. info@ or datenschutz@]. The channel security@nursit-institute.com is primarily intended for vulnerability reports.