Vulnerability Disclosure Policy

This policy describes how NursIT Institute GmbH handles vulnerability reports and what we expect from security researchers. It complements the security overview page with specific procedural and framework conditions.

The policy is aligned with established standards, in particular the Coordinated Vulnerability Disclosure guideline of the BSI, ISO/IEC 29147, and disclose.io.

1. Principle

We welcome and encourage responsible security research on our systems and products. Anyone who reports a vulnerability to us makes a valuable contribution to the security of our platform and, by extension, to the security of patient data. We commit to handling reports confidentially, remediating them in a coordinated manner, and treating researchers fairly.

2. Scope

IN SCOPE

• the publicly accessible websites and services of NursIT Institute GmbH under nursit-institute.com, nursit-institute.de, nursit.de
• all demo, test, and sandbox environments under *.careit.one
• publicly accessible APIs (REST/FHIR) that we provide
• mobile applications that we publish under our name

OUT OF SCOPE

• Production installations of CareIT Pro at customer sites in the respective hospitals. These instances are not operated publicly and are governed by the security regime of the respective clinic. If you have a finding here, please contact the hospital directly.
• Third-party products that we use but do not develop ourselves (e.g. cloud providers, identity providers, Smile CDR as a purchased FHIR server). Please report findings directly to the respective vendor.
• Former or no longer operated systems.

PERMITTED TESTING

• Manual and automated security analysis that does not disrupt operations.
• Identification and validation of vulnerabilities with the minimum effort necessary.
• Reproduction of a finding using test accounts or synthetic data.

NOT PERMITTED

• Denial-of-service attacks (DoS/DDoS), deliberate slowdown, or load generation beyond normal use.
• Reading or modifying personal data or other third-party data beyond the minimum necessary.
• Persistent or destructive actions (data deletion, data manipulation, defacement).
• Phishing, social engineering against employees, customers, or partners.
• Physical attacks against our facilities or those of our customers.
• Circumventing third-party protective measures (e.g. Cloudflare WAF, CDN providers) by means that those third parties themselves prohibit.

3. Safe harbor

We consider security research conducted in good faith within the framework of this policy to be expressly authorized. Specifically:

• We will not initiate civil or criminal proceedings against researchers who comply with this policy, and we will not encourage third parties to do so.
• To the extent that a researcher's activity could be considered legally relevant under applicable law (e.g. Sections 202a, 303a, 303b of the German Criminal Code), we will refrain from filing criminal charges if this policy is observed.
• We will make reasonable efforts, in case of inquiries from authorities referencing activities under this policy, to provide a clarifying statement in favor of the researchers and ourselves.

This commitment does not apply to:

• Violations of the items listed under "Not permitted".
• Violations of applicable law in the relevant jurisdiction, to the extent that such violations are not legitimately unavoidable in the course of the research activity.
• Claims by third parties whose systems are not within our scope and whose rights have been affected.
  
  

This safe-harbor clause is a self-commitment by NursIT Institute GmbH. It does not replace legal advice and is not to be understood as a legally binding agreement that would, for example, bind law enforcement authorities. When in doubt, we recommend that researchers contact us before conducting sensitive tests.

4. Reporting process

RECOMMENDED CHANNEL

• Email to security@nursit-institute.com.
• Please do not transmit personal data beyond what is necessary. If your report contains particularly sensitive information, please let us know in advance so that we can agree on a suitable transmission channel together.

CONTENTS OF A REPORT

Helpful information includes:

• A summary of the finding (1 to 3 sentences).
• Affected URL, component, or API endpoint.
• Steps to reproduce.
• Observed behavior and (if known) the likely technical cause.
• Potential impact.
• Suggested remediation, if you have one.
• Your contact details and preferred form of acknowledgment.

TIMELINE

ESCALATION

Should you not receive a response from us within the times stated above, or should you find the ongoing process unsatisfactory, you may involve the BSI (CERT-Bund) under its CVD process. We do not consider such an escalation to be a violation of this policy.

5. Recognition

We are happy to publicly thank security researchers who have reported findings to us:

• Mention in our hall of fame, if desired.
• Personal thank-you note.
• On request and in individual cases: recommendation within our industry community.

If you do not wish to be named publicly, we respect that. Please let us know in your report.

6. Bug bounty

We currently do not operate a bug bounty program and are unfortunately unable to compensate reports financially. We are evaluating the introduction of such a program as part of the further development of our security process. Current acknowledgment takes only the forms described under "Acknowledgment".

7. Confidentiality

• We treat incoming reports confidentially and share them only with the individuals internally involved in remediation.
• We will not pass your contact details to third parties without your express consent, unless we are required to do so by law or by official order.
• If the vulnerability affects third-party systems (e.g. suppliers, integration partners), we will notify the third-party vendor as part of our CVD practice. We will make reasonable efforts to protect your identity in this process, if you so wish.

8. Governing law and venue

This policy is governed by German law. The place of jurisdiction for disputes is, where legally admissible, the registered office of NursIT Institute GmbH.

9. Changes

We reserve the right to amend this policy. Changes will be published on this page with a date. The version published at the time of your report is the version that applies.