Security Disclosure Policy

Biomicrology takes the security of its platform seriously. We operate regulated medical device infrastructure and hold ourselves to a high standard. If you discover a security vulnerability, we want to know about it — and we ask that you give us the opportunity to address it responsibly before public disclosure.

How to Report

Send vulnerability reports to:

security@biomicrology.com

Please include in your report:

• A clear description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• Affected systems or URLs
• Your contact details for follow-up

Encrypted communication: PGP key available on request.

What to Expect

• Acknowledgement within 2 business days of receipt
• Initial assessment within 5 business days
• Regular updates on remediation progress
• Notification when the issue is resolved

We aim to resolve critical vulnerabilities within 30 days and will coordinate disclosure timing with you.

Scope

In scope for responsible disclosure:

• biomicrology.com and subdomains (app, api, staging)
• Biocrome device firmware and communication protocols
• Biocrome dashboard and API

Out of scope:

• Denial-of-service attacks
• Social engineering of Biomicrology staff
• Physical attacks against devices in the field
• Third-party services not under our control

Our Commitments

• We will not take legal action against researchers who act in good faith under this policy
• We will acknowledge your contribution in our release notes (unless you prefer anonymity)
• We will not share your personal information with third parties without your consent

Responsible Disclosure Guidelines

We ask that you:

• Do not access, modify, or delete data that does not belong to you
• Do not disrupt production systems or services
• Do not disclose the vulnerability publicly before we have had a reasonable opportunity to remediate
• Keep details of the vulnerability confidential until we jointly agree on a disclosure date