Vulnerability Disclosure | My Medicine Advisor
Vulnerability Disclosure

Vulnerability Disclosure

If you’ve found a security problem on My Medicine Advisor, thank you — I’d genuinely like to hear about it. This is a small, independently run site, and responsible reports from the security community help keep it safe for everyone who uses it. Here’s how to report an issue, and what you can expect from me.

Report Privately
Email or form below
Good Faith Welcome
No legal action for honest research
Handled by Me
One person, no team
Happy to Credit You
If you’d like, with your consent
🔒
Report it privately first
🤝
Good-faith research welcome
🙋
Replies come from me personally
🏅
Credit if you want it

A Quick, Honest Note First

So you know what you’re dealing with before you spend time on a report.

🙋

It’s Just Me

My Medicine Advisor is run by one person, not a security team. I don’t have a 24/7 operations centre or guaranteed response times — but I read every security report and take them seriously, especially anything that could affect users.

🧮

Very Little Data Is Stored

The calculators run in your browser and don’t save what you enter, and the site keeps personal data to a minimum. That means there isn’t a large store of user data at risk — but reports about the site itself are still genuinely welcome.

💸

No Paid Bounty

I’m not able to run a paid bug-bounty programme. What I can offer is a real thank-you, a fix, and public credit if you’d like it. I’d rather be honest about that up front than imply rewards I can’t provide.

What’s In and Out of Scope

A rough guide to what’s useful to report to me, and what belongs with someone else.

✓ Useful to report here

🌐

The Website Itself

Pages, tools, and calculators on mymedicineadvisor.com — for example a cross-site scripting (XSS) issue or a way to inject content.

📄

The Contact / Report Forms

Problems with the forms on the site — including this vulnerability report form — such as spoofing, injection, or mishandling of what’s submitted.

⚙️

Configuration & Exposure

Anything unintentionally exposed — a misconfiguration, a publicly reachable file that shouldn’t be, or a leak of information that ought to be private.

✗ Out of scope

Third-Party Platforms

The web host, Cloudflare, Google’s services, and WordPress core or plugins are run by those companies. Please report issues in them to the relevant vendor — I can’t fix those.

Social Engineering / Phishing

Trying to trick or phish me or anyone else isn’t something I want tested.

Denial-of-Service / Load Testing

Please don’t run DoS, brute-force, or load tests against the site — they degrade it for real visitors without showing anything useful.

Anything That Harms Real Users

Any test that accesses, alters, or exposes other people’s data is out of scope — see the guidelines below.

Responsible Disclosure Guidelines

A simple request, not a legal contract: please research in good faith and follow these, and the good-faith assurance further down applies to you.

✓ Please do

  • Report the issue to me privately first, through the email or form below
  • Stop at a minimal proof of concept — just enough to show the issue is real
  • Give me a reasonable chance to fix it before sharing it publicly
  • Stay within the law and the site’s Terms of Use while researching

✗ Please don’t

  • Access, copy, change, or keep anyone else’s data
  • Exploit the issue any further than needed to confirm it
  • Run intrusive automated scans or load tests against the live site
  • Disclose the issue publicly before it’s been fixed

How to Report

Email me, or use the form below. The more detail you include, the faster I can understand and reproduce the issue.

📧

By Email

Send the details to the address below. The site uses HTTPS, so your message is encrypted in transit.

Email:
Subject: “Vulnerability Disclosure — [brief title]”
📄

What to Include

Affected page or URL — where the issue is
Type of issue — e.g. XSS, CSRF, information exposure
Steps to reproduce — clear, numbered steps
Impact — what someone could do with it
Screenshots or PoC — if safe to include
How to credit you — if you’d like to be named
🔍

Report a security issue

This form sends your report to me privately. Please don’t include any real user data in it.

What to Expect From Me

I won’t promise specific deadlines I can’t keep as a one-person operation — but here’s how I’ll handle your report.

I’ll get back to you

I’ll acknowledge your report as soon as I reasonably can, and tell you whether I’ve been able to confirm the issue.

I’ll prioritise by how serious it is

Anything that could expose user data or seriously affect the site gets dealt with first. Lower-risk issues may take longer, but they’re still logged and addressed.

I’ll keep you in the loop and credit you

I’ll let you know when it’s fixed, and — if you’d like — credit you publicly for the find. Your details stay private unless you ask to be named.

A Good-Faith Assurance

I want researchers to feel safe reporting issues to me, so here’s my commitment in plain terms.

🤝 If you research in good faith, I won’t come after you

I’m not a lawyer and this isn’t a formal legal programme — but my promise is simple. If you genuinely act in good faith, follow the guidelines on this page, don’t access or damage anyone else’s data, and give me a fair chance to fix the issue before going public, then I won’t pursue legal action against you for your research, and I’ll work with you to get it resolved.

Report privately, in good faith

The assurance applies to issues reported to me first through the channels on this page — not to anything disclosed publicly or to others before I’ve had a chance to act.

Don’t touch other people’s data

Please don’t access, copy, or keep real user data. Stop at the minimum needed to show the issue is real.

I’ll respond in good faith too

I’ll treat your report seriously and confidentially, keep you updated, and credit you if you’d like — that’s the deal from my side.

Found something? Let me know.

Report it privately, research in good faith, and I’ll work with you to fix it — and credit you if you’d like.

Security reports:  |  Subject: “Vulnerability Disclosure — [title]”
✓ CURRENT
Owned & operated by: Sameer Patel — Founder & Editor, My Medicine Advisor Last Updated: June 2026