Security Posture

Enterprise-grade security for critical care infrastructure.

Platform security, responsible disclosure, access control, auditability and resilience help protect customers and the people they support.

Responsible vulnerability disclosure

If you believe you have found a security issue affecting Intoku or a Care3 Labs-owned service, report it responsibly so we can investigate and respond.

Email security team
security@care3labs.co.uk
Security Workflow

Reporting Guidelines

Follow our reporting and testing guidelines to ensure your research is safe, proportionate, and non-disruptive.

Email Security Team
security@care3labs.co.uk

How to report

Email the security team with a clear summary of the issue, affected system, safe steps to reproduce, potential impact, and any supporting evidence.

What to include

Affected product/domain, clear description, safe reproduction steps, potential impact, and your contact details.

Report Received
Under Triage
Remediation Planned

What you can expect

Acknowledgement, initial triage, prioritisation based on risk, and confirmation when the issue has been resolved.

Responsible testing rules

Do not access or modify customer data, perform DoS attacks, or use social engineering. Stop testing if you encounter sensitive data.

Scope boundaries

Please respect the indicative scope boundaries below. Out-of-scope testing may be treated as a security incident.

In scope
  • Care3 Labs public website
  • Intoku public website
  • Care3 Labs-owned domains
  • Intoku-owned application surfaces where testing is safe and non-disruptive
Out of scope
  • denial-of-service testing
  • social engineering
  • physical security testing
  • third-party services
  • customer environments
  • access to personal or service-user data unless explicitly authorised in writing

Good-faith reporting

We aim to review responsible reports fairly and constructively. Where a report is made in good faith and testing is safe, proportionate and non-disruptive, we will work with you to understand the issue and confirm when it has been resolved.

security.txt

We publish a security.txt file to make our vulnerability reporting route easy to find for security researchers and customers.

Security researchers can contact us through the Care3 Labs security contact form or use our published security.txt file.

View security.txt
  • Contact: security@care3labs.co.uk
  • Policy: /resources/security-posture
  • Preferred language: English
  • Canonical: /.well-known/security.txt

This page provides a high-level overview of Intoku’s security posture and responsible vulnerability disclosure process. It does not create a legal agreement, warranty, bug bounty programme, or authorisation to perform intrusive testing. Responsible disclosure wording, scope, safe harbour language, and contact routes should be reviewed by Intoku’s security and UK legal advisers before publication.