SECURITY DISCLOSURE POLICY

Reporting a Security Vulnerability

Last updated: April 30, 2026  ·  Version 1.0

1. Our Commitment

Honor Code Medical Consultants, LLC ("HCMC") welcomes reports from independent security researchers. We understand that securing complex systems is a community effort, and we treat every good-faith report as a contribution to patient safety, customer trust, and the integrity of the medical-device distribution channel.

We commit to acknowledging every report within five (5) business days, triaging within twenty-four (24) hours where possible, and providing a remediation timeline appropriate to the severity of the finding.

2. How to Report

Send your report to legal@honorcodemedical.com. Please include:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step reproduction instructions, including affected URLs, request/response captures, or proof-of-concept code.
  • Your preferred contact method and the name (or handle) you would like us to use in any public acknowledgement.
  • Whether you have disclosed the issue to any other party.

Our machine-readable disclosure metadata is published at /.well-known/security.txt in accordance with RFC 9116.

3. Scope

The following systems are in scope for this program:

SystemIn / Out of Scope
honorcodemedical.com and subdomains we operateIn scope
HCMC training platform (hcmcwoundcare.netlify.app)In scope
HCMC rep portal (when authenticated; do not attempt unauthorized access)In scope (authorized testing only)
Third-party services we use (Netlify, Google, MailerLite, etc.)Out of scope — report directly to the vendor
Manufacturer partner systemsOut of scope
Customer or hospital systemsOut of scope
Physical security, social engineering, or phishing of HCMC personnelOut of scope

4. Acceptable Testing

Testing must be conducted in good faith and in compliance with applicable law. Specifically:

  • Only test against accounts you own or have explicit written authorization to test.
  • Do not access, download, modify, or destroy data belonging to other users.
  • Do not perform automated scanning that disrupts service availability (no DoS / DDoS, no aggressive fuzzing of production endpoints).
  • Do not pivot from a finding into other systems.
  • Stop testing immediately if you encounter Protected Health Information (PHI) or any other sensitive personal data, and report what you found without retaining the data.

5. Out-of-Scope Findings

The following issue classes are generally considered out-of-scope or low-priority:

  • Reports from automated scanners with no demonstrated impact (e.g., missing security headers without a working exploit).
  • Self-XSS, clickjacking on pages with no sensitive actions, or unverified CSRF on logout/cosmetic flows.
  • Username or email-address enumeration on login flows where mitigation would harm legitimate user experience.
  • SPF / DKIM / DMARC misconfigurations — we are aware and welcome confirmation, but these are not eligible for acknowledgement.
  • Outdated software versions without a working exploit.
  • Issues affecting third-party services we cannot directly remediate.
  • Findings dependent on physical access to a user's device.

6. Safe Harbor

Good-faith research is welcome. HCMC will not pursue legal action against researchers who: (a) make a good-faith effort to comply with this policy; (b) avoid privacy violations, data destruction, and service disruption; (c) report findings privately and allow a reasonable remediation window before public disclosure; and (d) do not exploit findings beyond what is necessary to demonstrate impact.

This policy does not authorize, and HCMC cannot indemnify, conduct that violates federal or state law, including the Computer Fraud and Abuse Act (CFAA), the Texas Computer Crimes Law (Tex. Penal Code Ch. 33), HIPAA, or other applicable statutes. If you have any uncertainty about whether a planned action is in scope, contact us first.

7. Disclosure Timeline

We aim to remediate confirmed vulnerabilities on the following targets:

  • Critical: 7 days to mitigate, 30 days to fully remediate.
  • High: 30 days to remediate.
  • Medium: 60 days to remediate.
  • Low: 90 days or as part of regular release cadence.

We ask researchers to delay public disclosure until remediation is complete or until ninety (90) days have elapsed since acknowledgement, whichever is sooner. Coordinated disclosure beyond ninety (90) days can be arranged for complex or chained issues.

8. Acknowledgement

HCMC does not currently operate a paid bug-bounty program. We do publicly thank researchers who responsibly disclose qualifying findings (with the researcher's permission). If you would like to be acknowledged, please indicate so in your initial report.

9. Confidentiality

Vulnerability reports are treated as confidential information. Personnel who handle reports are bound by HCMC's confidentiality and information security policies. We will share findings with manufacturer partners or hosting providers only as needed to remediate and only on a need-to-know basis.

10. Changes to This Policy

We may update this policy as our security program matures. The effective date and version are listed at the top of this page. The machine-readable security.txt contact is reviewed and refreshed at least annually.

11. Contact

Security reports: legal@honorcodemedical.com

General inquiries: legal@honorcodemedical.com

A dedicated security@honorcodemedical.com alias will replace the above once DNS cutover and Cloudflare Email Routing are complete.