Vulnerability Disclosure Policy

Our commitment

Phoenix Health takes the privacy and security of our clients' protected health information seriously. We welcome reports from independent security researchers and will work in good faith with anyone acting in good faith to disclose vulnerabilities.

Reporting a vulnerability

Email security@phoenixhealthco.com with a clear description of the issue, the steps to reproduce, and any proof-of-concept materials.

We aim to acknowledge reports within 2 business days and provide a triage outcome within 10 business days.

Scope

• phoenixhealthco.com and its subdomains
• Phoenix Health iOS and Android applications (when released)
• API endpoints documented at /api/*

Out of scope

• Denial-of-service or volumetric attacks against production
• Social engineering of staff or clients
• Physical attacks on offices or staff equipment
• Findings that require root or jailbroken devices and have no realistic exploit path
• Findings on third-party services where Phoenix has no remediation authority

Safe harbour

We will not pursue legal action against researchers who: (a) act in good faith and within this policy; (b) avoid privacy violations, destruction of data, and interruption of service; (c) only test against accounts they own or have explicit permission to test; and (d) give us a reasonable time to remediate before public disclosure.

Recognition

With your permission we will publicly acknowledge valid reports. We do not currently operate a paid bug-bounty programme; this may change in future.