← Back

Security & Vulnerability Disclosure

Last updated: June 30, 2026

Our Security Commitment

At Sycana Health AI LLC, we take the security of the CredVault platform and our users' data seriously. Healthcare credential data, provider identifiers, and organizational information require strong protections, and we continuously invest in safeguarding them.

We welcome the assistance of the security research community in identifying potential vulnerabilities. This policy outlines guidelines for responsible disclosure and what you can expect from us in return.

Scope

This policy applies to the following systems and services:

  • The CredVault web application at https://getcredvault.com and all subdomains under *.getcredvault.com;
  • The CredVault API at https://api.getcredvault.com;
  • Mobile applications distributed under the CredVault name (if applicable);
  • Publicly accessible source code repositories owned by Sycana Health AI LLC.

The following are out of scope:

  • Third-party services used by CredVault (AWS, Resend, Twilio, Stripe, AI parsing services); report issues directly to those providers;
  • Physical security attacks, social engineering, phishing, or denial-of-service attacks;
  • Self-XSS, cookie reuse without demonstrated impact, or missing HTTP headers that do not result in a demonstrable security risk.

Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it to us immediately by emailing security@sycana.com. We encourage the use of our PGP key for encrypted reports (available on request).

Please include the following details in your report:

  • Type of vulnerability (e.g., XSS, SQL injection, authentication bypass);
  • Steps to reproduce the issue — concise, clear, and actionable;
  • Affected URL(s), endpoint(s), or component(s);
  • Proof of concept or exploit code (if available and safe to share);
  • Your contact information for follow-up questions;
  • Any relevant screenshots, logs, or network traffic captures.

What We Promise

If you report a vulnerability in accordance with this policy, we commit to:

  • Acknowledgment: We will acknowledge receipt of your report within 3 business days;
  • Investigation: We will investigate and validate the reported issue as quickly as possible;
  • Timeline: We will provide an estimated remediation timeline within 10 business days of validation;
  • Communication: We will keep you informed of progress toward resolution;
  • Recognition: With your permission, we will publicly acknowledge your contribution in our security acknowledgments section;
  • Safe Harbor: We will not pursue legal action against individuals who report vulnerabilities in good faith and in compliance with this policy;
  • No retaliation: We will not retaliate against good-faith security research.

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized under the Computer Fraud and Abuse Act (CFAA) and similar state and international laws;
  • Exempt from any prohibitions in our Terms of Service that would otherwise restrict security testing;
  • Carried out in good faith and in the public interest.

You are expected to:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of the Service;
  • Not access or modify data that does not belong to you without explicit authorization;
  • Not exploit a vulnerability beyond what is necessary to demonstrate the issue;
  • Delete any data accessed during research once the vulnerability is confirmed and reported;
  • Report vulnerabilities promptly and not disclose them publicly until we have had a reasonable opportunity to remediate (typically 90 days from acknowledgment).

Remediation & Disclosure Timeline

We follow these target timelines:

  • Critical/High severity: Remediation within 14 days of validation
  • Medium severity: Remediation within 30 days of validation
  • Low severity: Remediation within 90 days of validation

After remediation, we will coordinate public disclosure with the reporter. We generally allow public disclosure 90 days after remediation is complete, or earlier if the vulnerability poses active risk to users.

Security Measures in Place

The CredVault platform is protected by the following security measures:

  • All traffic is encrypted in transit using TLS 1.2+;
  • Data at rest is encrypted using AES-256;
  • Sensitive provider identifiers are encrypted at the application field level;
  • Authentication is JWT-based with per-user token versioning and role-based access control;
  • All credential and provider modifications are logged to an append-only audit trail;
  • CSRF protection via token-based validation on all state-changing requests;
  • Rate limiting on authentication and API endpoints;
  • Automated dependency scanning for known vulnerabilities;
  • Infrastructure hosted on AWS with security groups, VPC isolation, and automated patching.

Contact

To report a security vulnerability, email security@sycana.com. For all other security-related questions, contact hello@sycana.com.