Security — Responsible Disclosure

• medova.health
• API routes at medova.health
• Next.js application (frontend + API routes)
• Supabase REST API (anon-key endpoints)

Out of Scope

• Hetzner hosting infrastructure (managed by provider)
• Third-party services (Supabase cloud, Stripe, Google Maps)
• DoS / DDoS attacks
• Social engineering
• Physical security

• Do NOT destroy production data
• Do NOT attack availability (DoS/DDoS)
• Do NOT access other users' accounts without their consent
• Test only on your own test account
• Report findings to office@medova.health before public disclosure

• SQL Injection, XSS (stored/reflected), CSRF
• Authentication bypass, privilege escalation
• Insecure Direct Object Reference (IDOR)
• Exposed secrets / API keys in frontend
• Misconfigured CORS, missing security headers
• Rate limiting bypass
• Open redirects

Medova is a pre-revenue project. We offer:

• Public Hall of Fame on our website (name/handle + finding description)
• LinkedIn Recommendation from the CEO (for significant findings)
• Portfolio reference for the researcher
• Video call: architecture Q&A session
• For critical CVEs: long-term recognition as security contributor

1. Send a report to office@medova.health
2. Acknowledgment within 48 hours
3. Severity assessment and verification within 7 days
4. Fix and feedback within 30 days (Critical/P0: 7 days)
5. Hall of Fame recognition after fix is deployed