Legal

Vulnerability Disclosure Policy

Reporting a Vulnerability

If you discover a security vulnerability in bloodless.org, we ask that you report it responsibly. Please email us with a description of the issue, steps to reproduce, and any supporting evidence. We will acknowledge your report and work to address it promptly.

In Scope

We are interested in vulnerabilities that affect the security, privacy, or integrity of user data on bloodless.org. This includes but is not limited to:

  • Cross-site scripting (XSS) — especially critical given our client-side encryption model
  • Authentication or authorization bypass
  • Server-side injection (SQL, command, template)
  • Weaknesses in the client-side encryption implementation
  • Unauthorized access to user data or encrypted blobs

Out of Scope

  • Denial of service (DoS/DDoS) attacks
  • Social engineering attacks against staff or users
  • Phishing campaigns
  • Brute-force attacks against user passcodes (this is a known, documented risk in our threat model)

Response Commitments

  • Acknowledge your report within 48 hours
  • Triage and assess severity within 7 days
  • Provide status updates as we work on a fix
  • Credit you in our disclosure (unless you prefer to remain anonymous)

Our Encryption Model

bloodless.org uses client-side encryption (AES-256-GCM) for all Medical Directive content. The server stores only opaque encrypted blobs it cannot read. Our most critical security boundary is the browser — any vulnerability that could expose decrypted content in the DOM or bypass our Content Security Policy is treated with the highest severity.

Guidelines for Researchers

  • Do not access, modify, or delete other users' data
  • Do not attempt to access accounts that do not belong to you
  • Do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them
  • We will not pursue legal action against researchers who act in good faith and follow these guidelines