High-rate automated scanning
Do not run automated scanners (Burp, Nuclei, sqlmap) against production systems at a rate that degrades availability. Use targeted, low-rate requests only.
We build safeguarding infrastructure. We take security seriously. If you find a vulnerability, we want to hear from you.
The following assets are covered by this policy. Researchers who discover vulnerabilities in in-scope assets and follow this policy will receive our full cooperation and recognition.
*.talastar.digital subdomains*.polsia.app/api/v1/*TalaStar Digital Ltd supports safe security research. We will not pursue civil or criminal action against researchers who follow this policy in good faith.
We consider security research conducted under this policy to be:
✔ Authorised under the Computer Misuse Act 1990 and equivalent legislation, provided research stays within scope and follows this policy.
✔ Exempt from DMCA anti-circumvention provisions to the extent the research is necessary to identify and report a vulnerability.
✔ Conducted in good faith — we will work with you to understand and resolve the issue quickly, and will not take action against researchers for accidental, good-faith violations.
If you are uncertain whether your research qualifies under this safe harbor, contact us before proceeding: security@talastar.digital
This safe harbor statement is based on the Disclose.io model safe harbor.
Conditions for safe harbor to apply:
Send your report via email. Include as much detail as possible: affected asset, steps to reproduce, impact assessment, and any proof-of-concept code.
3C40 030F 316B D2AC 987F 9925 D51F CA08 6001 78E8Please include in your report:
Encrypt sensitive vulnerability reports with our security team’s public key. The key is also available at /.well-known/pgp-key.txt.
We follow a 90-day coordinated disclosure standard. The timeline begins from the date we confirm receipt of a valid, reproducible report.
You submit your report. The clock starts when we confirm receipt.
We confirm receipt within 72 hours and begin triage. You receive an initial severity assessment within 7 days.
For critical and high severity issues we aim to patch within 30 days. We’ll keep you updated on progress.
Medium and low severity issues remediated within 90 days. We notify you when the patch is live.
After remediation or at Day 90 (whichever comes first), you are free to publish. We may request a brief extension for critical infrastructure findings affecting NHS or clinical systems — this is always negotiated, never imposed.
If we cannot reproduce a vulnerability or need more time on a critical infrastructure finding, we will negotiate in good faith. We will never use a deadline extension to avoid accountability.
The following activities are not authorised under this policy and will not be covered by safe harbor:
Do not run automated scanners (Burp, Nuclei, sqlmap) against production systems at a rate that degrades availability. Use targeted, low-rate requests only.
Do not access, download, or exfiltrate data belonging to other users. Stop at proof-of-concept — demonstrate the vulnerability without extracting real data.
Do not install backdoors, web shells, or persistent access mechanisms. Report the vulnerability and stop.
Do not pivot from one system to another. Scope your testing to the reported asset only.
Do not target TalaStar employees or contractors with phishing, pretexting, or other social engineering techniques.
Do not conduct DoS or DDoS testing. These attacks are not covered under this policy regardless of intent.
TalaStar Digital operates a recognition-only programme at this stage. There are no cash bounties. This is honest — we are a Series 0 clinical AI company and our security budget goes into building the product.
Researchers who disclose valid, impactful vulnerabilities will be credited publicly in our Hall of Fame (with their consent) and thanked in our security changelog.
Hall of Fame page coming soon. Your name will be here first.
What researchers receive:
We will revisit paid bounties as the company scales. If you find something critical that materially protects our NHS or clinical partners, we will make sure you are remembered for it.
Our security.txt is served at /.well-known/security.txt per RFC 9116.
The address security@talastar.digital must be routable to receive vulnerability reports. If it is not yet active, follow one of these setup paths:
This page is live. Reports will be sent to security@talastar.digital. Configure one of the options below to receive them.
Option A — DNS forwarding (Google Workspace / Zoho / Cloudflare Email Routing)
security@talastar.digital to your personal inbox in the Cloudflare dashboard under Email › Email Routing.security as an alias for your primary account in Admin Console › Users › [your account] › Add Alternate Emails.Option B — Postmark inbound routing
talastar.digital. IN MX 10 inbound.postmarkapp.com.Option C — SimpleForward (minimal DNS record)
security@talastar.digital → [your-personal-email].
Note: Until security@talastar.digital is live, researchers can also use the web contact page or reach out through the main company contact. Private key for the PGP keypair generated on 2026-05-25 was delivered as a one-time artifact to the operator and must be stored offline — do not commit to any repository.