Dedicated channel: for any vulnerability report, use security@heelonys.fr and avoid public disclosure before coordinated handling.
Scope: this page covers HeelonVault, HeelonGed, HeelonConnect, and the public HEELONYS website (public pages, forms, and related APIs).
1. General principles
HEELONYS products and services are designed with a security-first approach, with special attention to confidentiality, integrity, availability, traceability of sensitive actions, and reduced data exposure.
- least-privilege principles and access segmentation;
- security logging and monitoring of critical events;
- application hardening, dependency management, and continuous remediation.
2. Covered portfolio
| Product / Service | Status and distribution model | Security focus |
|---|---|---|
| HeelonVault | Apache-2.0 open source | Local-first secrets management, encryption at rest, and usage/audit safeguards |
| HeelonGed | Open source for audit under NDA | Document management and audit with access control, traceability, and secure flows |
| HeelonConnect | Pre-announced, open source for audit under NDA | Interoperability and integration with secure exchange requirements |
| HEELONYS website | Public web service | Form protection, abuse prevention, event logging, and internet-facing surface security |
3. How to report a vulnerability
Please send an email to security@heelonys.fr with subject format SECURITY-HEELONYS: short title, and specify the impacted scope (Vault, Ged, Connect, website, API).
Please include:
- affected version;
- test environment;
- reproduction steps;
- expected vs observed behavior;
- estimated impact;
- a proof of concept if available.
Please do not send cleartext secrets, full database dumps, or master passwords in your initial report.
4. Target handling timelines
- acknowledgement within 24h;
- initial triage and classification within 3 business days;
- status update at least every 7 days until closure.
| Priority | Exploitability | Impact | Operational target |
|---|---|---|---|
| P1 | Trivial or low-complexity exploitation | High impact on confidentiality, integrity, or availability | Target mitigation or fix within 7 days |
| P2 | Realistic exploitation with few prerequisites | Moderate to high impact | Target mitigation or fix within 14 days |
| P3 | Specific conditions or required user interaction | Limited to moderate impact | Planned fix within 30 days |
| P4 | Theoretical or hard-to-exploit scenario | Low impact | Handled in upcoming releases |
5. HEELONYS website security
The public website and its APIs apply security controls consistent with internet exposure:
- input validation and payload filtering;
- abuse protection (rate limiting and anti-automation controls);
- security event logging and operational monitoring;
- regular dependency and deployed component updates.
6. Coordinated disclosure
Vulnerabilities must be handled through coordinated disclosure. Unless legally required otherwise, no detailed publication should occur before a mitigation or acceptable fix is available.
7. License, trademarks, and authenticity
HeelonVault is published as open source under Apache-2.0. HeelonGed and HeelonConnect are made available as open source for audit under NDA while their launch phase requires controlled disclosure.
The HEELONYS, HeelonVault, HeelonGed, and HeelonConnect trademarks are operated by HEELONYS; trademark filing and protection actions are ongoing in applicable territories.
The authenticity seal or equivalent mention reserved to official builds must not be displayed on modified versions, forks, or community builds not approved by HEELONYS.
8. Contact
Security reporting: security@heelonys.fr
General contact: contact@heelonys.fr
Company: HEELONYS - SAS-U - 40 rue de la tour d'Auvergne, La Cantine FrenchTech, 44200 NANTES, France