Vulnerability Disclosure Policy

LATEST REVISION
January 30, 2025

At CirrusMD, we are committed to ensuring the security and privacy of our customers, partners, and stakeholders. We recognize the importance of cybersecurity research and welcome contributions from the community to help identify potential vulnerabilities in our systems.

Reporting a Vulnerability

If you believe you have identified a security vulnerability in one of our systems or services, please report it to us promptly by following these steps:

  1. Email Us: Send an email to vulnerabilities@cirrusmd.com with a detailed description of the vulnerability. Please include:
    • Affected system, application, or service.
    • Steps to reproduce the vulnerability.
    • Proof-of-concept or screenshots, if applicable.
    • Your contact information for follow-up (optional).
  2. Good Faith Effort: Please refrain from disclosing the vulnerability publicly until we have had an opportunity to address it. We aim to acknowledge your report within 7 Days and will work diligently to resolve the issue.
  3. Scope of Testing: Do not engage in actions that could harm our users, compromise sensitive data, or disrupt services, such as: Exploiting vulnerabilities beyond what is necessary to confirm their existence. Accessing, modifying, or deleting data without authorization.

Our Commitment

We will keep you informed of our progress as we investigate and resolve the issue. If you responsibly disclose a vulnerability, we will not pursue legal action against you for your discovery. We may publicly recognize your contribution if you consent to such acknowledgment.

Ineligible Submissions

Please note that the following are outside the scope of our Vulnerability Disclosure Program:

  • Issues related to social engineering, phishing, or physical security.
  • Reports of outdated software versions without evidence of exploitation.
  • Denial of Service (DoS) attacks or brute-force attacks.
  • Spam or issues unrelated to security vulnerabilities.

Responsible Disclosure

We appreciate your cooperation in helping us maintain a safe and secure environment for our users. Thank you for your commitment to ethical security practices and for taking the time to report vulnerabilities to us.

CirrusMD reserves the right to update this policy as needed. For questions or additional information, please contact us at vulnerabilities@cirrusmd.com.