HomecareCopilot

Security at HomecareCopilot

Effective Date: January 11, 2025
Last Updated: January 11, 2025

Elk Lake Labs LLC, doing business as HomecareCopilot ("we," "us," or "our"), takes the security of our platform and our users' data seriously. This page explains how we handle security issues and how you can help us keep HomecareCopilot secure.

Table of Contents
1. Reporting Security Issues2. What We're Looking For3. Our Response Process4. Safe Harbor for Security Researchers5. Scope6. Guidelines for Responsible Research7. Incident Response8. Contact Information
Reporting Security Issues

If you discover a security vulnerability or have concerns about the security of HomecareCopilot, please email us at:

security@homecarecopilot.app

We'll respond within 3 business days to acknowledge your report and begin our investigation.

What to Include in Your Report

To help us understand and address the issue quickly, please include:

  • Description: What's the vulnerability or security concern?
  • Location: Where did you find it? (URL, API endpoint, specific feature)
  • Impact: What could happen if this were exploited?
  • Steps to Reproduce: Numbered steps we can follow to see the issue
  • Supporting Evidence: Screenshots, videos, or proof-of-concept code (if helpful)
  • Your Contact Info: Name and email so we can follow up (optional for anonymous reports)

Example:

Subject: Authentication issue in profile API

Location: https://homecarecopilot.app/api/profile/update
Impact: Users might access other users' profiles
Steps to reproduce:
1. Log in as User A
2. Make a request to /api/profile/update with User B's ID
3. Notice User B's profile is modified

Contact: jane@example.com
What We're Looking For

We appreciate reports about:

Security Vulnerabilities

  • Authentication or authorization bypasses
  • SQL injection, XSS, or CSRF vulnerabilities
  • Sensitive data exposure
  • Security misconfigurations
  • API security issues
  • Session management problems

Privacy Concerns

  • Unintended data exposure
  • Missing data access controls
  • Privacy policy violations
Our Response Process

Here's what happens when you report a security issue:

1. We Acknowledge Your Report

Timeline: Within 3 business days

We'll send you an email confirming we received your report and provide a tracking reference.

2. We Investigate

Timeline: Within 7 business days

We'll review your report, attempt to reproduce the issue, and assess its severity and impact.

3. We Keep You Updated

Timeline: Every 2 weeks

We'll send you progress updates until the issue is resolved, even if it's just "we're still working on it."

4. We Fix the Issue

Timeline: Based on severity

  • Critical issues (data breaches, authentication bypasses): 30 days
  • High-priority issues (XSS, data exposure): 60 days
  • Medium-priority issues (CSRF, misconfigurations): 90 days
  • Low-priority issues (minor improvements): As schedule permits

These are targets, not guarantees. Complex issues may take longer, but we'll communicate openly about timelines.

5. We Credit You (If You Want)

Once we've fixed the issue, we'll add you to our Security Acknowledgments page (if you'd like to be recognized). Just let us know:

  • How you'd like to be credited (name or handle)
  • Whether you want a link to your website, GitHub, or social media

If you prefer to remain anonymous, we'll keep your contribution private.

Safe Harbor for Security Researchers

We consider good-faith security research conducted according to these guidelines to be authorized and lawful. If you report vulnerabilities responsibly, we commit to:

  • No legal action: We won't pursue legal action against you
  • No law enforcement: We won't report you to law enforcement
  • Good faith response: We'll work with you professionally to address the issue
  • Recognition: We'll acknowledge your contribution (if you want)

This protection applies when you:

  • Follow the guidelines on this page
  • Don't harm our users or systems
  • Report issues promptly and privately
  • Give us reasonable time to fix issues before public disclosure (90 days is standard)
Scope

What's In Scope

HomecareCopilot Application:

  • https://homecarecopilot.app (and all subdomains)
  • All API endpoints under /api/*
  • Authentication and authorization systems
  • Data access controls

Marketing Website:

  • https://tryhomecarecopilot.com (and all subdomains)
  • Contact forms and public-facing features

What's Out of Scope

Third-Party Services:

These are managed by other companies. Please report issues directly to them:

  • Clerk (authentication): https://clerk.com/security
  • Supabase (database): https://supabase.com/security
  • Vercel (hosting): https://vercel.com/security
  • OpenPhone (telephony): https://www.openphone.com/security
  • Stripe (payments): https://stripe.com/docs/security

Testing Methods:

  • Denial of Service (DoS) attacks
  • Social engineering or phishing
  • Physical security testing
  • Automated scanning without analysis

Not Vulnerabilities:

  • Issues in third-party services (report to them)
  • Theoretical vulnerabilities without proof
  • Known public vulnerabilities we're already fixing
  • Minor issues with no security impact

Unsure? Ask First

If you're not sure whether something is in scope, email us before testing:

security@homecarecopilot.app

We'll respond within 3 business days to clarify.

Guidelines for Responsible Research

Please DO:

  • Report promptly: Let us know as soon as you find something
  • Provide details: Give us enough information to reproduce and fix the issue
  • Respect privacy: Don't access or modify user data beyond what's necessary to demonstrate the vulnerability
  • Use test accounts: Create your own accounts for testing
  • Give us time: Allow 90 days to fix issues before public disclosure
  • Be patient: We're a small team working to resolve issues as quickly as possible

Please DON'T:

  • Access user data: Don't view, download, modify, or delete user data
  • Disrupt service: Don't perform DoS attacks or high-volume automated testing
  • Disclose publicly: Don't share the vulnerability before we've fixed it
  • Pivot to other systems: Don't use a vulnerability to access other systems
  • Submit automated scans: Review and validate findings before reporting

If You Accidentally Access Sensitive Data

If you encounter personal information, financial data, or other sensitive data during testing:

  1. Stop immediately
  2. Email us right away: security@homecarecopilot.app
  3. Delete any data you accessed
  4. Don't share it with anyone
  5. Be transparent about what happened

We'll work with you constructively—honest mistakes happen in security research.

Incident Response

How We Handle Security Incidents

When we become aware of a security incident (either through a report or our own monitoring), here's our process:

1. Initial Response

  • Acknowledge and document the incident
  • Assess the severity and potential impact
  • Begin investigation to understand the scope

2. Containment

  • Take immediate steps to prevent further unauthorized access
  • Preserve evidence for investigation
  • Implement temporary fixes if needed

3. Investigation

  • Analyze system logs and access patterns
  • Determine what happened, when, and what was affected
  • Identify the root cause

4. Resolution

  • Develop and test a permanent fix
  • Deploy the fix to production
  • Verify the issue is resolved

5. Notification

If personal data is involved, we'll notify affected users within 72 hours via:

  • Email to affected accounts
  • In-app notification on next login
  • Blog post (for incidents affecting many users)

We also comply with applicable data breach notification laws (GDPR, CCPA, etc.).

6. Post-Incident Review

  • Document what happened and how we responded
  • Identify improvements to prevent similar incidents
  • Update our security measures and processes

Our Commitment to Transparency

We believe in being transparent about security issues:

  • We'll communicate clearly with affected users
  • We'll explain what happened and what we're doing about it
  • We'll share what we learned (without compromising security)
  • We'll be honest about our mistakes and how we're improving
Contact Information

Security Issues

Email: security@homecarecopilot.app

Response Time: Within 3 business days

General Support

Email: support@homecarecopilot.app

Response Time: Within 1-2 business days

Company Information

Elk Lake Labs LLC dba HomecareCopilot

Website: https://tryhomecarecopilot.com

Related Policies

Thank You

We appreciate the security research community's efforts to help us maintain a secure platform. Your responsible disclosure helps protect the families and caregivers who depend on HomecareCopilot.

A Note About Our Size

We're a small, founder-led team. We take security seriously and respond as quickly as we can, but we may not be as fast as larger companies with dedicated security teams. We appreciate your patience and understanding as we work to address security issues responsibly.

This security policy was last updated on January 11, 2025 and is effective as of January 11, 2025.

This security policy is part of our commitment to protecting our users. We update it periodically to reflect our evolving security practices.