Do not access, modify, download, or disclose patient information, customer data, or another user's account data while testing or reporting a vulnerability.
Purpose
CaelaraHealth welcomes good-faith security reports that help protect providers, patients, and practices. This policy explains how to report potential vulnerabilities responsibly.
In Scope
- Public CaelaraHealth website pages owned by GagliTech LLC.
- Authenticated CaelaraHealth portals or endpoints only when you are using accounts and data you own or are explicitly authorized to test.
- Security issues that can be demonstrated without accessing patient information, disrupting availability, or affecting other users.
Out Of Scope
- Accessing, downloading, changing, or sharing patient information or customer data.
- Denial-of-service, spam, physical attacks, social engineering, phishing, or attempts against employees, customers, or vendors.
- Testing third-party systems that are not owned or controlled by GagliTech LLC.
- Destructive testing, persistence, malware, credential stuffing, or public disclosure before coordinated review.
Researcher Guidelines
- Use only your own account, test account, or data you are authorized to use.
- Stop testing and report immediately if you encounter data that is not yours.
- Avoid privacy-invasive testing and avoid service disruption.
- Give us a reasonable period to investigate and address the report before public disclosure.
- Do not request compensation, threaten disclosure, or use the issue to gain leverage.
What To Include
- A short summary of the issue and potential impact.
- The affected URL, route, or workflow.
- Clear steps to reproduce using non-PHI test data.
- Screenshots, logs, or proof-of-concept details that do not include patient information.
- Your contact information so we can follow up.
How To Report
Send good-faith vulnerability reports to security@gaglitech.com. Do not include patient information, PHI, secrets, or exploit data beyond what is needed to understand the issue.
Use the private beta request form only as a fallback for non-urgent security-report coordination if email is unavailable.
We do not currently operate a public bug bounty program, and submitting a report does not create a right to payment.
Safe Harbor Intent
We intend to avoid legal action for good-faith research that follows this policy, avoids harm, respects privacy, and does not violate law. This statement does not authorize access to data, systems, or accounts you do not own or have permission to test.
Questions about this page?
Send non-PHI questions through the private beta request path or your established CaelaraHealth contact.
Request early access