Responsible Disclosure Policy

At MediChatApp, the privacy and security of healthcare data are top priorities. We recognize the valuable role that independent security researchers play in protecting our systems. This Responsible Disclosure Policy outlines how to report security issues to us safely, what to expect, and how we commit to responding.

1) Scope

This policy applies to vulnerabilities discovered in any MediChatApp-owned domain, subdomain, API, or hosted application, including production systems (e.g., *.medichatapp.com). Please avoid testing systems or integrations that belong to our customers (e.g., practice portals, third-party EMRs), as these contain Protected Health Information (PHI).

2) Safe Harbor

If you make a good faith effort to comply with this policy during your security research, we will not pursue or support legal action against you for your research. We ask that you:

Avoid accessing, modifying, or deleting data you do not own (especially PHI or PII).
Avoid service disruption, social engineering, spam, or denial-of-service testing.
Provide a clear, reproducible report that includes steps to replicate the vulnerability.
Give us a reasonable amount of time (at least 30 days) to resolve the issue before public disclosure.

3) How to Report

Please send your report to our security team with sufficient details to help us reproduce and validate the issue:

Security Contact

Email: [email protected]

Encryption: PGP key available on request

Subject: “Responsible Disclosure – [Brief Description]”

Include the following information:

Vulnerability type and description
Steps to reproduce (screenshots, payloads, proof-of-concept if possible)
Potential impact or data exposure
Your preferred contact method (email, Signal, etc.)

4) Our Commitment

We will acknowledge your report within 72 hours.
We will investigate and provide a status update within 10 business days.
If verified, we will coordinate a timeline for remediation and potential disclosure.
We may publicly thank security researchers who report responsibly, if you consent.

5) Out of Scope

The following findings are generally considered out of scope:

Rate-limiting or brute-force concerns with no impact or practical exploitability.
Self-XSS or clickjacking requiring user interaction within their own session.
Missing HTTP headers or cookie flags with negligible impact.
Use of outdated libraries without a proven exploit path.
Vulnerabilities in third-party platforms not owned or controlled by MediChatApp.

6) Recognition & Bug Bounty

We currently do not operate a paid bug bounty program. However, high-impact or critical findings may be eligible for discretionary recognition or acknowledgment on our Security Researchers Hall of Fame (coming soon).

7) Policy Updates

We may update this Responsible Disclosure Policy from time to time. The “Last Updated” date at the top of this page reflects the latest revision. Continued participation in our program after changes signifies your acceptance of the updated policy.

Found a potential vulnerability?

Report it securely to our security team. We appreciate your help in keeping healthcare data safe.

Report a Vulnerability