How to reach us
| Topic | Contact |
|---|---|
| Security vulnerabilities and incidents | [email protected] |
| Privacy matters (PHI handling, data rights, BAA privacy terms) | [email protected] |
| General sales and pilot inquiries | [email protected] |
Our machine-readable security contact information is published at
/.well-known/security.txt per RFC 9116.
Reports to [email protected] are acknowledged within 3 business days, and a human reads every one. If your report concerns a suspected active incident involving patient data, say so in the subject line and we will prioritize accordingly.
What to include in a security report
The more of the following you can provide, the faster we can act:
- What you found — a plain-language summary of the vulnerability or concern.
- Where — the affected URL, endpoint, product area, or component.
- How to reproduce it — step-by-step instructions, requests/responses, or a proof of concept. Screenshots help.
- Impact assessment — what you believe an attacker could do with this, and whether any data could be exposed.
- Your environment — browser, tooling, account/role used (if testing under a pilot agreement).
- How to reach you — so we can follow up, ask questions, and credit you if you would like credit.
Please do not include real patient data in a report. If you believe you have inadvertently encountered PHI, stop, do not retain it, and tell us immediately.
Encrypted reports
A PGP key for encrypting sensitive reports is available on request — email
[email protected] and we will provide it. We are honest
that this is currently a request-based process rather than a published key; publishing the
key alongside our security.txt is on our list as our disclosure program matures.
Rules of engagement
Security research against JamEMR is governed by our Responsible Disclosure policy, including its scope, its hard rule against testing systems containing real patient data, and its safe harbor statement for good-faith research. Please read it before testing.
For everything else
Privacy questions that are not vulnerabilities — how JamEMR handles PHI, our subprocessors, BAA terms — go to [email protected], and much of the answer may already be in this Trust Center, starting with the Security Overview.