Responsible Disclosure

Scope

This policy covers public-facing assets operated by SilverGuard Technologies Limited, including:

• silverguard.ai and its subdomains
• Public APIs that we publish under those domains
• Mobile or downloadable artefacts that we distribute publicly

Customer-deployed environments and operator-managed care-home networks are out of scope and must not be tested without explicit, written authorisation from the operator.

How to report

Email security@silverguard.ai with:

• A clear description of the issue and its potential impact;
• Steps to reproduce, including affected URL(s) and timestamps;
• Any proof-of-concept material (text, screenshots, short clips);
• Your preferred name or handle for credit, if you would like it.

You may write in English, Traditional Chinese (繁體中文), or Simplified Chinese (简体中文).

What to expect

• Acknowledgement within five (5) business days.
• An initial assessment and indicative timeline within fifteen (15) business days.
• A coordinated disclosure window agreed with the reporter.
• Public credit on request, once the issue is verified and fixed.

Safe harbour

We will not pursue legal action against good-faith security research that complies with this policy, that avoids privacy violations, service degradation, and data destruction, and that does not access or attempt to access resident, family, or operator data.

Out of scope

• Volumetric, denial-of-service, or stress-test activity;
• Social-engineering or phishing of staff, partners, operators, residents, or families;
• Physical attempts against offices, devices, or care-home premises;
• Issues requiring already-compromised devices or rooted clients;
• Reports that rely solely on missing best-practice headers without demonstrable impact, low-impact informational findings (e.g. version disclosure with no CVE), or theoretical issues without a working proof-of-concept.