Security
Security & Vulnerability Disclosure Policy
How to report security vulnerabilities in dicom.link services
Overview
Interactive Healthcare Technologies S.R.L. ("we", "us") operates dicom.link and its sub-services, which support clinical workflows involving medical imaging and all types of medical data, including Protected Health Information (PHI).
Our cloud-hosted services are built on the principle that plaintext patient data should never be observable on our side of the infrastructure. We implement industry-standard cryptographic algorithms and protocols to protect data in transit and at rest throughout our systems. Encryption is a foundational design requirement, not an afterthought, and it covers all medical data types we handle, not only DICOM imaging.
Some of our products are designed to run entirely on-premise, within a customer's own secure environment. In those deployments, data may exist in plaintext inside the customer's zone — this is appropriate and by design. The customer controls that infrastructure; we do not have visibility into it, even though it is our software running there.
Regardless of deployment model, we consider the security of our software and the responsible disclosure of vulnerabilities to be among the most critical aspects of our business. Clinical workflows depend on trust — in the integrity of images, in the confidentiality of patient records, and in the reliability of the systems that carry them. That trust is earned through transparency and rigorous security practice.
This policy describes how to report a vulnerability, what you can expect from us, and what we ask of security researchers in return. It is intended to be consistent with coordinated disclosure practices defined in ISO/IEC 29147.
Scope
The following systems and services are in scope for security research:
- dicom.link website and web application
- secure.dicom.link API endpoints
- DICOM viewer web application
- Authentication, session management, and authorization controls
- File upload, storage, and download handling
- License key generation and validation
- Official mobile and desktop applications distributed by Interactive Healthcare Technologies S.R.L.
The following are out of scope. Reports in these categories will not be actioned:
- Social engineering attacks against our staff, contractors, or users
- Physical attacks against our infrastructure or personnel
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
- Attacks that require physical access to a user's device
- Third-party services, CDNs, or infrastructure providers we do not control
- Vulnerabilities in browser software itself (report those to the browser vendor)
- Theoretical vulnerabilities without a working proof of concept demonstrating real impact
- Issues found exclusively by automated scanners with no manual validation of exploitability
- Missing HTTP security headers on static assets or third-party resources
- Rate-limiting bypass findings that do not lead to meaningful data exposure or account compromise
How to Report
Send your report by email to support@dicom.link. For reports containing sensitive information (credentials, patient data, detailed exploit steps), please encrypt your message using our PGP key listed at the bottom of this page.
We do not operate a public bug-bounty program. We cannot guarantee monetary rewards, but we will acknowledge your contribution in this policy (see Acknowledgments) if you wish.
What to Include in Your Report
To help us triage quickly, please provide as much of the following as possible:
- A clear description of the vulnerability and the affected component or endpoint
- Step-by-step instructions to reproduce the issue
- The potential impact and the conditions required to exploit it
- Proof of concept: code, HTTP request/response captures, or screen recordings
- Your suggested severity estimate (critical, high, medium, low, informational)
- Your name or handle, and whether you consent to public acknowledgment
Reports that contain sufficient detail for us to reproduce and assess the issue will receive priority handling. Vague or speculative reports may be closed without action.
Our Commitments
When you submit a report that complies with this policy, we commit to the following:
- Acknowledgment: We will confirm receipt within 2 business days.
- Initial triage: We will assess severity and validity within 10 business days of acknowledgment.
- Critical issues (data exposure, authentication bypass, remote code execution): remediation target of 30 days.
- High-severity issues: remediation target of 60 days.
- Other issues: remediation target of 90 days.
- Coordinated disclosure: We will work with you on public disclosure timing. Our default embargo is 90 days from the date of initial report. We may request an extension for complex issues; you may request earlier disclosure if we miss agreed timelines without justification.
- Updates: We will keep you informed of remediation progress at agreed intervals.
Timelines begin on the date we receive a report with sufficient detail to triage. Timelines are targets, not guarantees; highly complex vulnerabilities may take longer.
Safe Harbor
We support responsible security research. If you conduct research in good faith and comply with this policy, we will:
- Not initiate or recommend civil or criminal legal action against you related to your research
- Work cooperatively with you to understand and resolve the issue
- Treat your report as confidential and not share your identity without your explicit consent
Safe harbor applies only to research activities covered by this policy. It does not extend to activities that cause harm to users, destruction of data, or disruption of services beyond what is strictly necessary to demonstrate a vulnerability.
We cannot provide safe harbor for activities that violate applicable law in jurisdictions outside Romania or the European Union. If you are uncertain whether your planned research complies with this policy, contact us before proceeding.
Researcher Expectations
In exchange for safe harbor, we ask that you:
- Access only data belonging to test accounts you control; do not access, copy, or modify real user data or patient records
- Do not exploit a vulnerability beyond the minimum required to demonstrate it
- Do not perform any action that degrades the availability or performance of our services for other users
- Do not perform social engineering, phishing, or physical security attacks
- Do not publicly disclose vulnerability details before we have remediated the issue or the agreed embargo period has expired
- Do not demand payment or other compensation as a condition of disclosure
- Contact us promptly if you inadvertently encounter real patient data during your research
Acknowledgments
We gratefully recognize the following security researchers who have responsibly disclosed vulnerabilities in our services:
No entries yet. Be the first.
PGP Key
Use this PGP public key to encrypt sensitive vulnerability reports sent to support@dicom.link. You can also retrieve the key directly at /.well-known/pgp-key.txt.
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEaiM1ixYJKwYBBAHaRw8BAQdAANeFtmd4QOrLRPYuHIX+CFdtNV5Gu/Fk CLm1TKE+2tDNJ2RpY29tLmxpbmsgU3VwcG9ydCA8c3VwcG9ydEBkaWNvbS5s aW5rPsLAEwQTFgoAhQWCaiM1iwMLCQcJEPPuTlKGDQasRRQAAAAAABwAIHNh bHRAbm90YXRpb25zLm9wZW5wZ3Bqcy5vcmcndQOuheAdHPJIZli9O3tz1njK yXuZMuKye/4OErxLaQUVCggODAQWAAIBAhkBApsDAh4BFiEEBycWKUzKa5ao VN9k8+5OUoYNBqwAAGynAP9aPoSWPU58LutsAiMpX17K1IzjtsxJqZvYgkSm 2ArgJgEA+2CEQhAV3g01gNT51g47kZBLvTF7xC6gCcY4gKI6FgHOOARqIzWL EgorBgEEAZdVAQUBAQdA99b1ONoyACm/l08dqyzxDDOloIc52gx1PenLnFHy UXADAQgHwr4EGBYKAHAFgmojNYsJEPPuTlKGDQasRRQAAAAAABwAIHNhbHRA bm90YXRpb25zLm9wZW5wZ3Bqcy5vcmeBrVCOyCcj3d9ykOIASB1Z95PvA7HO slIkDxWlNF9G9QKbDBYhBAcnFilMymuWqFTfZPPuTlKGDQasAAA93QEAlx1+ NaE7stmkurXYj5lVtHVlaZK47ITMMreCXmNn00wA/iFhdzgoHZGRsoamwFO6 nlc9fHJF3YS/wiRNZuOIrF8E =MJ3z -----END PGP PUBLIC KEY BLOCK-----