BSL

Biomed Systems Limited

Corporate Home Intake Portal
Security Stewardship Ref: BSL-VDP-2026

Vulnerability Disclosure Policy

At Biomed Systems Limited, the security of our laboratory information management systems (LABA) and the confidentiality of our clients' research data are our highest priorities. We recognise the vital role that independent security researchers play in the digital ecosystem and welcome reports made in good faith regarding potential vulnerabilities.

This document serves as our authoritative protocol for engagement with the global security community, ensuring a structured and protected environment for ethical research.

1. Scope of Stewardship

Web Assets

biobanking.co.uk

Technical Infrastructure

LABA Ecosystem & Subdomains

2. Researcher Guidelines

To facilitate a constructive and professional engagement, researchers are requested to adhere to the following tenets of conduct:

01

Prompt Notification

Notify us immediately upon the discovery of a potential vulnerability. Delaying reports increases risk to laboratory operations.

02

Confidentiality & Discretion

Refrain from public disclosure until we have had a reasonable opportunity to remediate. Stewardship requires patience.

03

Data Integrity

Do not attempt to access, modify, or delete data belonging to our clients (e.g., LONZA Laboratories). Research must be non-destructive.

3. Reporting Process

To ensure the privacy of our personnel and maintain the integrity of our intake process, all security findings must be submitted via our official, secure contact channel.

Security Intake Portal Ref: Direct-Intake-BSL

4. Our Commitment (Safe Harbour)

"If you conduct your research and reporting in accordance with this policy, Biomed Systems Limited considers your actions to be authorised. We will not initiate legal action against you for your research activities. Furthermore, we commit to acknowledging your submission within 48 hours."

5. Prohibited Testing

Social Engineering

Phishing or coercion of Biomed Systems Limited staff or clients is strictly forbidden.

Physical Access

Physical security testing of our facilities in London or Rijeka is outside of scope.

Infrastructural Load

DDoS or automated scanning that disrupts clinical services is strictly prohibited.