Lifeyear OÜ – Vulnerability Disclosure Policy

Effective Date: 17 April 2026

Lifeyear OÜ is committed to maintaining the security of its platform and services. We welcome reports from security researchers, healthcare professionals, and members of the public who identify potential vulnerabilities in our products.

This Vulnerability Disclosure Policy (VDP) sets out how to report a security vulnerability to us, what we will do with your report, and what you can expect from us.

1. Scope

This policy applies to the following Lifeyear products:

  • Lifeyear Patient Mobile Application
  • Lifeyear Specialist Dashboard

2. How to Report a Vulnerability

Please submit vulnerability reports by email to security@lifeyear.com. Reports are treated confidentially.

To help us assess and respond to your report, please include as much of the following as possible:

  • A description of the vulnerability and the potential impact.
  • The product or component affected.
  • Steps to reproduce the issue, including any relevant URLs, screenshots, or proof-of-concept code.
  • Your contact details, if you are willing to be contacted for follow-up.

3. Our Commitments

When you report a vulnerability to us in good faith, we commit to:

  • Acknowledging receipt of your report within 5 working days.
  • Investigating the issue promptly and keeping you informed of our progress.
  • Prioritising and addressing confirmed vulnerabilities in accordance with our vulnerability management process.
  • Notifying you when the vulnerability has been resolved, where you have provided contact details.

4. Out of Scope

The following are outside the scope of this policy:

  • Denial of service attacks or any testing that could degrade or disrupt our services.
  • Social engineering or phishing attacks against Lifeyear staff.
  • Physical security vulnerabilities.
  • Vulnerabilities in third-party services not under Lifeyear's direct control.

5. Responsible Disclosure

We ask that you:

  • Do not access, modify, or delete data belonging to other users.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
  • Act in good faith to avoid harm to Lifeyear, its users, and its partners.

6. Contact

Security reports: security@lifeyear.com

Lifeyear OÜ, Valukoja tn 10, 11415 Tallinn, Estonia