BlinkLab coordinated vulnerability disclosure statement

Last updated: June 2026

BlinkLab takes the security of all our products, services, and infrastructure seriously. The security and integrity of every system we operate — whether it processes regulated, sensitive, or routine data — is part of how we earn the trust of our customers, partners, and the research community.

This page describes how we work with the security research community, customers, partners, and the public to identify and address cybersecurity vulnerabilities in any of our systems. We welcome reports from anyone who believes they have found a security issue affecting BlinkLab. Please see the Scope section below for the systems covered by this policy.

How to report a vulnerability

If you believe you have identified a security vulnerability, please email us at: security@blinklab.org

Where possible, please include:

  • A description of the vulnerability and its potential impact
  • The BlinkLab product, component, or service affected, with the URL, app name, or API endpoint where applicable
  • Steps to reproduce, including any proof-of-concept code, screenshots, or network captures
  • A way for us to contact you if we have follow-up questions
  • Reports submitted in English are preferred to avoid translation delays.

Anonymous reports are accepted, but anonymous reporting limits our ability to ask clarifying questions or to acknowledge your work.

Encrypted reports. We kindly ask you to encrypt your report in transit, our PGP public key is available at [PGP KEY FILE HERE] with fingerprint:

36DC FFC1 9CD5 AF97 1D6B  D403 A8B7 1088 2BF9 6F9C

Please verify the fingerprint after importing the key. The key is also discoverable via keys.openpgp.org under the address security@blinklab.org.

What you can expect from us

When you submit a report under this policy, BlinkLab will:

  1. Acknowledge receipt within two business days.
  2. Provide an initial substantive assessment within ten business days, including whether we have been able to reproduce the issue and an indication of severity.
  3. Keep you informed as we investigate and develop a fix. We will provide status updates at least every two weeks while an investigation is active.
  4. Coordinate the timing and content of any public disclosure with you.
  5. Credit you for the discovery in any public communication about the issue, if you wish to be named.

We aim to remediate confirmed vulnerabilities within the following timeframes, measured from the date the vulnerability is confirmed by BlinkLab:

Severity Target remediation
Critical Within 30 days
High Within 90 days
Medium In the next scheduled product release
Low Tracked and addressed during routine maintenance

We will inform you when a fix is in place and will work with you on coordinated public disclosure where appropriate.

Scope

This policy applies to the following BlinkLab products and services:

  • All BlinkLab mobile applications distributed through public app stores
  • All BlinkLab web applications and supporting web services hosted at *.blinklab.org
  • BlinkLab-operated cloud and backend infrastructure that supports any of the above
  • The BlinkLab corporate website at blinklab.org

The following are out of scope under this policy:

  • Vulnerabilities in third-party services we use (for example, Auth0, AWS, or Sentry). Please report these directly to the relevant vendor; you may copy us for awareness.
  • Social engineering of BlinkLab staff, customers, or partners.
  • Physical attacks against BlinkLab facilities or staff.
  • Denial-of-service or volumetric attacks against our infrastructure.
  • Reports based purely on automated scanner output without demonstrated impact.

Safe harbor

BlinkLab will not pursue or support legal action against security researchers who:

  • Make a good-faith effort to comply with this policy.
  • Avoid privacy violations, data destruction, and interruption or degradation of our services.
  • Do not test against production systems with active users. Use test, staging, or demonstration environments where available.
  • Do not access, modify, or exfiltrate user, customer, or partner data of any kind, and limit any incidental access to the minimum necessary to demonstrate the vulnerability.
  • Do not include real personal data, health information, or other sensitive information in your report. If you encounter such data during testing, do not access, capture, or transmit it beyond what is strictly necessary to demonstrate the vulnerability, and redact it from screenshots, recordings, or proof-of-concept code before submission.
  • Give us reasonable time to remediate before public disclosure.

We consider research conducted in accordance with this policy to be authorized. If a third party initiates legal action against you for activity conducted under this policy, we will take reasonable steps to make clear that your actions were authorized.

Coordinated disclosure

BlinkLab follows the coordinated vulnerability disclosure principles described in ISO/IEC 29147 and ISO/IEC 30111. We will work with you to agree on a disclosure timeline that takes into account the severity of the issue, the availability of mitigations, and the time required to deploy a fix to affected installations.

Our default expectation is that vulnerabilities will be publicly disclosed no later than 90 days after the initial report, or sooner if a fix is deployed and both parties agree. We are open to discussion if a different timeline is appropriate for a specific issue.

Recognition

With your permission, we acknowledge researchers who responsibly disclose vulnerabilities to BlinkLab. If you would like to be named, please indicate this in your initial report. We will not name you without your explicit consent.

Reporting to regulators

Where a vulnerability affects a BlinkLab product or service that is subject to regulatory oversight, BlinkLab will notify the relevant regulators in accordance with the applicable post-market obligations.

Legal

By submitting a report under this policy, you acknowledge that the information you provide is non-confidential and non-proprietary. BlinkLab retains unrestricted rights to use, reproduce, and act upon the information submitted, including for remediation, disclosure, and regulatory notification. Submission of a report under this policy does not establish any contractual, employment, or compensation relationship between you and BlinkLab.

Contact

For all security-related communications, including vulnerability reports and questions about this policy: security@blinklab.org

For non-security inquiries, please use our general contact channels.

Help us improve diagnostic evaluations for autism

Let's make developmental diagnostic evaluation more efficient and accessible.

Participate in BlinkLab's research

Subscribe to the newsletter

Stay up to date with BlinkLab's latest news and developments.

Awesome! You're now signed up.

You will receive our newsletter. You can opt out via the newsletter.

Oops! Something went wrong while submitting the form.
Privacy Policy
Mobile Privacy Policy
Cookie Policy
Security
HIPAA Compliance Commitment Disclaimer
info@blinklab.org
BLINKLAB LIMITED ACN 652 901 703
Level 4, 216 St Georges Terrace, Perth WA 6000
Copyright BlinkLab LTD
By Overflow Agency