We welcome good-faith security research
Security researchers make products safer, and we would rather hear about a vulnerability from you than discover it in an incident. If you believe you have found a security issue in JamEMR, we want to know — and we commit to treating you and your report with respect.
Scope
In scope
- The public website:
*.jamemr.com - JamEMR products, when tested under the terms of a pilot agreement
Out of scope — hard rules
- No testing against systems containing real patient data. This is a medical records product; a test that touches real PHI is not good-faith research, full stop. Pilot-based testing happens in environments running synthetic data.
- No social engineering of JamEMR staff, pilot practices, or their patients.
- No denial-of-service testing or resource exhaustion.
- No physical intrusion attempts.
- Third-party services we use (see Subprocessors) are governed by their own disclosure policies, not this one.
How to report
Email [email protected] with what you found, where, how to reproduce it, and your assessment of impact. See Security Contact for the full checklist of what to include.
What we commit to
- Acknowledgement within 3 business days of receiving your report.
- A human reads every report — triage is not automated away.
- We will keep you informed of our assessment and remediation progress, and we will tell you when the issue is fixed.
- With your permission, we are glad to credit you once the issue is resolved.
Safe harbor
If you conduct security research in good faith and in accordance with this policy, we will not pursue legal action against you or refer you for prosecution for that research. Good faith means: staying in scope, making a genuine effort to avoid privacy violations and service disruption, not accessing or retaining more data than needed to demonstrate the issue, and giving us a reasonable opportunity to fix the problem before public disclosure. If you are ever unsure whether an action is covered, ask us first at [email protected] — we answer.
No bug bounty yet
We are honest about this: JamEMR does not currently run a paid bug bounty program. As a pilot-stage company, our security investment is going into the controls and testing described in our Compliance Roadmap, including third-party penetration testing planned before general availability. We may introduce a bounty program later; until then, what we offer researchers is a fast response, straight communication, and credit.