Legal

Vulnerability Disclosure Policy

Effective Date: February 2026

Document Version: 1.0

1. Purpose

Rymeda, Inc. ("Rymeda," "we," "us," or "our") is committed to the security of our healthcare platform, our users, and the patients whose data we are entrusted to protect. We recognize that security researchers and the broader community play a vital role in helping us maintain the highest security standards.

This Vulnerability Disclosure Policy ("VDP" or "Policy") describes how security researchers can report vulnerabilities to Rymeda in a safe, responsible manner and what they can expect from us in return. We welcome and appreciate good-faith security research conducted in accordance with this Policy.

2. Scope

This Policy applies to all Rymeda-owned and operated digital assets, including:

  • All domains under *.rymeda.com
  • All Rymeda API endpoints
  • Rymeda mobile applications (iOS and Android)
  • Rymeda web applications and portals
  • Infrastructure and cloud services operated by Rymeda

Third-party services, vendor platforms, and open-source components not directly operated by Rymeda are outside the scope of this Policy. Vulnerabilities discovered in third-party components used by Rymeda should still be reported to us, and we will coordinate with the appropriate vendor.

3. Safe Harbor

Good-Faith Research Protection

Rymeda, Inc. considers security research conducted in accordance with this Policy to be authorized, good-faith conduct. We will not initiate or support legal action against researchers who discover and report vulnerabilities in compliance with this Policy. If a third party initiates legal action against a researcher for activities conducted in accordance with this Policy, we will take steps to make it known that such activities were authorized by Rymeda.

To qualify for safe harbor protection, researchers must:

  • Act in good faith and in accordance with this Policy at all times
  • Avoid accessing, modifying, or deleting data belonging to other users or patients
  • Stop testing and report immediately upon discovery of any Protected Health Information (PHI) or personally identifiable information (PII)
  • Not exploit a vulnerability beyond what is necessary to demonstrate its existence
  • Not publicly disclose vulnerability details before Rymeda has had a reasonable opportunity to remediate (see Section 9: Disclosure Timeline)
  • Not engage in any activities that could cause harm to Rymeda, our users, or our patients
  • Comply with all applicable laws

4. Reporting a Vulnerability

Please report all security vulnerabilities to:

Security Team

security@rymeda.com

PGP Encryption: We encourage the use of PGP encryption for sensitive reports. Our PGP public key is available at https://rymeda.com/.well-known/security.txt and on major public key servers.

Key Fingerprint: Available upon request at security@rymeda.com

Please do not report security vulnerabilities through public channels (GitHub issues, social media, forums, etc.) as this may put users and patients at risk before a fix is available.

5. What to Include in Your Report

To help us understand and resolve the vulnerability quickly, please include as much of the following information as possible:

Description

A clear, concise description of the vulnerability, including the type of issue (e.g., XSS, SQL injection, IDOR, authentication bypass, SSRF) and the affected component or endpoint.

Reproduction Steps

Detailed, step-by-step instructions to reproduce the vulnerability, including URLs, HTTP requests/responses, screenshots, or proof-of-concept code. The more specific, the faster we can verify and address it.

Impact Assessment

Your assessment of the potential impact, including the severity (critical, high, medium, low), the type of data at risk (especially PHI or PII), and the potential for exploitation in a real-world scenario. Include the CVSS score if available.

Your Contact Information

An email address or other means by which we can contact you for follow-up questions or status updates. Anonymous reports are accepted but may limit our ability to coordinate with you.

Environment Details

Browser version, operating system, device type, network configuration, and any other environment details relevant to reproducing the issue.

6. Response Timeline

Rymeda commits to the following response timeline for all vulnerability reports received through this Policy:

StageTimelineDescription
Acknowledgment2 business daysWe will acknowledge receipt of your report and provide a unique tracking identifier
Triage5 business daysWe will validate the report, assess severity, assign a priority, and communicate our initial assessment to you
Status UpdatesEvery 10 business daysWe will provide progress updates until the vulnerability is resolved
ResolutionSee severity table belowWe will notify you when the vulnerability has been remediated and verified

6.1 Resolution Targets by Severity

SeverityResolution TargetExamples
Critical24 hoursRemote code execution, authentication bypass affecting PHI, SQL injection in production, mass data exposure
High7 daysIDOR exposing patient data, privilege escalation, SSRF to internal services, stored XSS in clinical areas
Medium30 daysReflected XSS, CSRF, information disclosure (non-PHI), insecure direct object references (non-clinical)
Low90 daysMissing security headers, verbose error messages, minor configuration issues, clickjacking on non-sensitive pages

Resolution targets are measured from the date of triage completion. Actual resolution times may vary based on the complexity of the fix and the need for thorough testing, particularly for a healthcare platform handling PHI.

7. In-Scope Targets

The following assets and vulnerability classes are in scope for this Policy:

7.1 In-Scope Assets

AssetDescription
app.rymeda.comPrimary patient-facing web application
*.app.rymeda.comProvider portal and clinical documentation interface
api.rymeda.comRESTful API endpoints
rymeda.comCorporate website and marketing pages
Authentication & AuthorizationJWT authentication, role-based access control, session management, OAuth flows

7.2 In-Scope Vulnerability Classes

  • Remote code execution (RCE)
  • SQL injection, NoSQL injection, and other injection vulnerabilities
  • Authentication and authorization bypass
  • Cross-site scripting (XSS) — stored, reflected, and DOM-based
  • Cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR)
  • Privilege escalation (horizontal and vertical)
  • Sensitive data exposure (especially PHI/PII)
  • API security issues (broken object-level authorization, mass assignment, etc.)
  • Cryptographic weaknesses
  • Business logic vulnerabilities affecting data integrity or patient safety

8. Out-of-Scope

The following activities and vulnerability types are out of scope for this Policy:

8.1 Prohibited Testing Methods

  • Social Engineering: Phishing, vishing, pretexting, or any social engineering attacks against Rymeda employees, contractors, or users
  • Denial of Service (DoS/DDoS): Any testing that could degrade, disrupt, or deny service to Rymeda's platform or infrastructure
  • Physical Attacks: Physical access attacks against Rymeda offices, data centers, or equipment
  • Automated Scanning: Large-scale automated vulnerability scanning that could impact system performance or trigger rate limiting. Lightweight, targeted scanning is acceptable.
  • Spam or Content Injection: Sending unsolicited messages to Rymeda users or injecting content visible to other users

8.2 Out-of-Scope Vulnerability Types

  • Vulnerabilities in third-party services, libraries, or components not directly operated by Rymeda (though we appreciate reports about these and will coordinate with vendors)
  • Issues requiring physical access to a user's device
  • Missing security headers on non-sensitive pages without demonstrated impact
  • SSL/TLS configuration issues on non-production domains
  • Clickjacking on pages without sensitive actions
  • Self-XSS (requires user to enter code in their own browser console)
  • Username/email enumeration via login or registration (unless combined with other vulnerabilities)
  • Missing rate limiting without demonstrated abuse potential
  • Best practice recommendations without a demonstrated vulnerability
  • Theoretical attacks without proof of concept

8.3 Third-Party Services

Vulnerabilities in the following third-party services should be reported directly to the respective vendors: Amazon Web Services (AWS), MongoDB Atlas, Stripe, OpenAI, Google Cloud, Twilio SendGrid, Plausible Analytics.

9. Coordinated Disclosure Timeline

Rymeda follows a 90-day coordinated disclosure policy. We request that researchers:

  • Allow Rymeda ninety (90) calendar days from the date of acknowledgment to remediate the vulnerability before any public disclosure
  • Coordinate the timing and content of any public disclosure with Rymeda's security team
  • Refrain from disclosing specific technical details (exploit code, proof of concept, affected endpoints) until a fix has been verified in production

If Rymeda requires additional time beyond 90 days due to the complexity of the fix (e.g., architectural changes, coordination with upstream dependencies), we will negotiate an extended timeline with the researcher in good faith. In the event of a genuine disagreement on disclosure timing, we encourage researchers to contact CERT/CC or another recognized coordination center.

Rymeda reserves the right to request early or delayed disclosure in exceptional circumstances, such as when a vulnerability poses an imminent risk to patient safety or when a fix requires coordination across multiple healthcare organizations.

10. Reward & Recognition

Rymeda values the contributions of security researchers. While we do not currently offer a monetary bug bounty program, we provide the following recognition for valid, in-scope vulnerability reports:

  • Hall of Fame: With your permission, we will acknowledge your contribution in our Security Researchers Hall of Fame on the Security page
  • Reference Letter: Upon request, we will provide a letter confirming your responsible disclosure for professional or academic purposes
  • Direct Communication: You will receive direct updates from our security team on the remediation status and a notification when the fix is deployed

Future Bug Bounty

We are actively evaluating the implementation of a formal bug bounty program with monetary rewards. Researchers who have submitted valid reports under this VDP will be given priority access and consideration when a bounty program launches. Subscribe to updates at security@rymeda.com.

11. Legal Protections

Rymeda, Inc. will not pursue legal action under the following statutes against researchers who comply with this Policy:

11.1 Computer Fraud and Abuse Act (CFAA)

We will not bring claims under the Computer Fraud and Abuse Act (18 U.S.C. §1030) against researchers who make a good-faith effort to comply with this Policy. We consider authorized security research conducted in accordance with this Policy to constitute "authorized access" within the meaning of the CFAA.

11.2 Digital Millennium Copyright Act (DMCA)

We will not bring claims under the Digital Millennium Copyright Act (17 U.S.C. §1201) against researchers who circumvent technological measures solely for the purpose of good-faith security research in accordance with this Policy.

11.3 California Comprehensive Computer Data Access and Fraud Act

We will not bring claims under Cal. Penal Code §502 against researchers who comply with this Policy.

11.4 HIPAA Considerations

Critical: PHI Restrictions

As a healthcare platform, Rymeda processes Protected Health Information (PHI). Researchers must immediately stop testing and report to us if they encounter any patient data, clinical records, or other PHI during their research. Intentional access to, copying of, or exfiltration of PHI is not covered by this safe harbor and may result in enforcement action under HIPAA (42 U.S.C. §1320d-6), which carries criminal penalties of up to $250,000 in fines and 10 years imprisonment.

11.5 Limitations

This safe harbor does not extend to activities that:

  • Violate the privacy or data protection rights of any individual
  • Access, copy, download, or exfiltrate PHI or PII
  • Cause damage, disruption, or degradation of Rymeda's services
  • Are conducted for purposes other than improving Rymeda's security
  • Violate any law not enumerated in Sections 11.1–11.3
  • Involve extortion, blackmail, or threats

12. Contact Information

For vulnerability reports, questions about this Policy, or security-related inquiries:

Security Team

security@rymeda.com

Vulnerability reports, PGP key requests, disclosure coordination

Legal Department

legal@rymeda.com

Safe harbor questions, legal inquiries, disclosure disputes

Related Policies

Security

Platform security architecture

Information Security Policy

Organizational security policies

Incident Response Plan

Security incident handling procedures

Privacy Policy

Data collection and processing practices

Terms of Service

Platform usage terms and conditions

Anti-Fraud & Compliance Program

Healthcare fraud prevention program