About

Site security

Murtek treats security as part of product quality: data boundaries, least privilege, reviewable releases, explicit product labels, and responsible reporting paths.

Report a vulnerability Foundation principles
Public summary

This page gives a public summary only. It does not disclose private controls, secrets, test techniques, or playbooks that could make the site less safe.

Security posture

Controls are matched to the product state and the data involved.

Murtek's first public web surfaces focus on product information, educational gameplay, account access, and operational readiness. We do not claim clinical certification or HIPAA readiness until the relevant workflows, agreements, audit evidence, and safeguards are in place.

Data boundaries

Preview educational game surfaces are designed to avoid collecting PHI, syncing health records to the cloud, running classroom rollouts, or taking payments unless those features are clearly introduced for that experience.

Access control

Team access is limited by environment and role. Public gameplay can be used without account login, while private account and operations pages use stricter handling.

Transport and edge controls

Public traffic is served over HTTPS, with domain and host controls managed carefully for the type of surface being served.

Release evidence

Public pages are reviewed, tested, and prepared with rollback in mind so search engines and users see the current product state.

Logging and privacy

Logs should support debugging and alerting without exposing secrets, health data, or unnecessary personal context.

Supply chain

Dependencies, runtime versions, CI permissions, and hosted configuration are treated as part of the security boundary rather than background maintenance.

Responsible disclosure

Report security issues directly and give us time to investigate.

Email [email protected] with the affected URL, clear reproduction steps, observed impact, and any relevant screenshots or request IDs. Do not include sensitive personal data unless it is essential to prove impact.

Bug bounty guidance

Murtek welcomes responsible security reports. Bounty eligibility and reward amount are discretionary until a formal bounty table is published, but high-quality reports that identify real, fixable risk will be prioritized.

  • Stay within Murtek-owned public web surfaces unless a written authorization says otherwise.
  • Do not perform denial-of-service testing, spam, social engineering, physical attacks, credential stuffing, or destructive testing.
  • Do not access, modify, delete, retain, or share another person's data.
  • Stop testing and report promptly if you encounter non-public data or a path that could affect availability.