Vulnerability Disclosure Policy

In scope:

• surgic.ai and marcus.surgic.ai systems owned or controlled by surgicAI.
• Publicly reachable MARCUS application endpoints owned by surgicAI.
• Authentication, authorization, tenant isolation, and access-control issues.
• Exposure of non-public customer or user data.
• Vulnerabilities that could materially affect confidentiality, integrity, or availability.

Out of scope unless expressly authorized:

• Denial-of-service testing, physical attacks, social engineering, phishing, or spam.
• Testing third-party services not owned or controlled by surgicAI.
• Automated scanning that degrades service.
• Accessing, copying, modifying, deleting, or exfiltrating data that is not yours.

Please include a clear description, affected URL or component, steps to reproduce, potential impact, screenshots or proof-of-concept details with sensitive data removed, and your contact information.

Do not include PHI, credentials, secrets, or sensitive customer data in your report. If you accidentally access data that is not yours, stop testing immediately and report the issue.

We will not pursue legal action against good-faith security researchers who follow this policy, avoid privacy violations, avoid data destruction and service disruption, and do not publicly disclose the issue before coordinated review.

This safe harbor does not apply to extortion, threats, social engineering, phishing, physical attacks, denial-of-service attacks, malware, or actions that harm users, customers, or systems.

1. Acknowledge receipt.
2. Triage the report.
3. Request additional information if needed.
4. Investigate and validate the issue.
5. Remediate as appropriate.
6. Communicate resolution where appropriate.

We do not currently operate a paid bug bounty program unless separately announced in writing.