Vulnerability Disclosure

Vulnerability disclosure at MyMedicineAdvisor exists to protect our users and systems. If you’ve found a potential security issue, please report it to us through the process below. We commit to 24-hour triage, coordinated fixes, clear communication, and good-faith safe harbor for researchers who follow this policy.

Table Of Contents
  1. How our vulnerability disclosure works
  2. Scope for vulnerability disclosure
  3. Out-of-scope & prohibited testing
  4. Submission format for vulnerability disclosure
  5. Our timelines & communications
  6. Acknowledgments & recognition
  7. Emergency procedures
  8. FAQ: vulnerability disclosure
  9. Vulnerability Disclosure form

How our vulnerability disclosure works

Our vulnerability disclosure program encourages good-faith testing and responsible reporting. We evaluate reports for impact and exploitability, assign priority, and work toward remediation. Security research must not harm users, disrupt service, or access personal/medical data.

Scope for vulnerability disclosure

The following are in scope for vulnerability disclosure testing:

  • Domains: mymedicineadvisor.com and any *.mymedicineadvisor.com subdomains we operate.
  • First-party web applications and APIs we control.
  • Publicly available mobile or desktop clients (if/when released by us).

Not in scope: third-party services (hosting, analytics, payment, marketing) unless we explicitly state otherwise. Issues within vendors should be reported to them directly.

Out-of-scope & prohibited testing

To keep users and systems safe, the following are out of scope for vulnerability disclosure and must not be performed:

  • Denial-of-Service (volumetric, resource exhaustion, or stress tests).
  • Automated account brute force, credential stuffing, or social engineering.
  • Accessing, modifying, or exfiltrating personal/medical data (PHI/PII).
  • Physical attacks (office, devices), or third-party/vendor platforms.
  • Spam/SEO poisoning, clickjacking on non-sensitive pages, and missing X-Frame-Options where no sensitive action is at risk.
  • Self-XSS, CSRF on logout/non-state-changing actions, and version banners without proven exploitability.
  • Scanning that degrades service (excessive rates). Keep requests polite and bounded.

If you’re unsure whether a method is permitted under this vulnerability disclosure policy, email us first.

Submission format for vulnerability disclosure

Send reports to support@mymedicineadvisor.com (PGP available on request) or use the form below.

Provide:

  1. Title and concise summary of the vulnerability.
  2. Affected URL(s)/endpoint(s) and parameters.
  3. Impact (what can an attacker achieve) and severity rationale.
  4. Step-by-step reproduction + minimal proof-of-concept.
  5. Your environment (browser, OS, tool versions).
  6. Fix suggestions if you have them.
  7. Contact for coordinated follow-up.

Our timelines & communications

We aim to:

  • Acknowledge your vulnerability disclosure within 24 hours.
  • Provide status updates at meaningful milestones (triaged → in progress → fixed).
  • Credit researchers who want public acknowledgment (see below).
  • Request a mutually agreed public disclosure date after a fix is deployed and users are protected.

Acknowledgments & recognition

We currently run a non-monetary recognition program. With your consent, we’ll add your name/handle to a Security Hall of Fame and, where appropriate, link to a write-up once the issue is safely disclosed and fixed. Swag/thank-you gifts may be offered at our discretion for high-impact findings.

Emergency procedures

If you discover a high-severity issue that could put users at immediate risk:

  • Mark the subject: “URGENT: High-Severity Vulnerability Disclosure”.
  • Share a minimal PoC privately; do not publish or test further.
  • We will escalate internally and keep you updated on the fix timeline.

FAQ: vulnerability disclosure

Vulnerability Disclosure form

Help & Support

Last Updated – 13 September 2025