At HumanFirst, we see ourselves as a leader in protecting security and privacy, and our systems are designed with a security-first framework in mind. We perform threat modeling and adversarial resilience testing as the foundation to any solution we provide and realize that maintaining a secure posture requires continuous efforts. In addition to these industry-standard practices, we welcome security researchers to inform us of any vulnerabilities that could put human safety and security at risk or that could compromise the confidentiality, integrity, or availability of our systems.
This policy lays out how we interact with and structure an informed dialog with any security researcher who reports potential vulnerabilities and enumerates our intentions, expectations, and intake mechanisms for how to coordinate these interactions.
HumanFirst authorizes good-faith research into any of our digital assets, including:
Additionally, all vulnerabilities that require or are related to the following are out of scope:
For vulnerabilities in third-party libraries, systems, or code, we will guide researchers to report those to the appropriate parties (directly, or through third parties, like the CERT/CC). If reported to HumanFirst, we may also report the issue through our supply chain and to relevant third parties, because this can improve responsiveness by the software or product supplier.
In addition to reporting violations directly to HumanFirst, potential vulnerabilities associated with any software or product listed in our Atlas catalog should be reported to the software or product supplier directly.
We do not currently pay bounties or maintain a "hall of fame" for vulnerability reports.
We believe that well-intentioned security research improves patient safety and overall clinical effectiveness. We do not intend to take legal action against security researchers who appear to be acting in good-faith. We consider research conducted under this policy to be:
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you, to the extent research was conducted in compliance with our policy, we will cooperate to provide this policy and actions you took to provide information under this policy. For the avoidance of doubt, however, we will not be liable for any liability or costs associated with any legal action taken against you by any third party.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.
We want to encourage vulnerability research, so to avoid any confusion between legitimate research and malicious activity, we ask that you, in good faith:
When interacting with us in accordance with this policy, you can expect us to:
Reports will be most helpful if they:
We encourage all good-faith reports; however, we have no control over third-party products. When appropriate, we will involve third-parties in issues as immediately and as responsibly as possible.
We developed this policy with the help of individuals from the leading coordinated vulnerability disclosure organizations and other resources, below:
2019/10/08 v1.0 Initial Publication
2019/12/02 v1.1 Update
2020/05/04 v1.2 Update
2021/02/25 v1.3 Update - Public GPG Key updated