Responsible Disclosure and Vulnerability Reporting Policy

Overview

Linear Health Inc. takes the security of our platform and the protection of patient data seriously. This Responsible Disclosure and Vulnerability Reporting Policy is part of our broader Information Security Program, which is aligned with the SOC 2 Trust Services Criteria and the HIPAA Security Rule and is currently undergoing a SOC 2 Type II + HIPAA audit.

We welcome responsible security research and value the contributions of the security community in helping us maintain a secure environment for our customers and their patients.

Scope

This policy applies to the following in-scope assets:

• Production web application at linear.health
• All publicly reachable APIs associated with the Linear Health platform
• Underlying cloud infrastructure used to deliver the service (AWS)
• Public marketing and informational sites hosted on Vercel

The following are out of scope and must not be targeted:

• Third-party services and platforms we integrate with (including but not limited to: Athena EHR, Twilio, ElevenLabs, AWS Bedrock)
• Social engineering or phishing of Linear Health employees, customers, or partners
• Denial-of-service (DoS or DDoS) or any activity that degrades service availability
• Physical security testing of our offices, data centers, or personnel
• Any testing against environments containing real patient data or production PHI beyond what is strictly necessary to demonstrate a vulnerability

If you are unsure whether a system or activity is in scope, please contact us before testing.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in any in-scope Linear Health system, application, or service, please report it to us at:

Email: security@linear.health

Include as much detail as possible so we can reproduce and assess the issue:

• A clear description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce, including URLs, parameters, and any relevant request/response samples
• Any proof-of-concept code or screenshots necessary to demonstrate the issue
• The date and time of discovery, and the tools or techniques used
• Your contact information for follow-up and, if desired, how you would like to be credited

All reported vulnerabilities are tracked in our internal ticketing system (Jira) from initial triage through remediation and validation.

Triage, Severity, and Remediation Targets

Upon receiving your report, we will perform an initial triage to validate the issue, assess impact, and assign a severity rating. As a general guideline, we target the following remediation timelines:

• Critical: Issues that allow direct compromise of PHI, patient accounts, or core platform infrastructure, or that enable remote code execution or data exfiltration at scale. Target remediation within 7 days of validation.
• High: Issues that significantly affect confidentiality, integrity, or availability but require additional conditions (e.g., authenticated user, limited scope). Target remediation within 30 days of validation.
• Medium: Issues with moderate impact or more complex exploitation requirements. Target remediation within 90 days of validation.
• Low: Issues with limited security impact, hard-to-exploit scenarios, or primarily informational findings. Best-effort remediation based on risk and product priorities.

These timelines represent our standard objectives and may be adjusted based on the specific risk, complexity, and potential patient impact of an issue. Regardless of severity, confirmed vulnerabilities that affect PHI are handled under our Incident Response Plan and HIPAA Breach Notification procedures.

Our Commitments to You

When you report a vulnerability to us in good faith and in accordance with this policy, Linear Health commits to the following:

• Acknowledge receipt of your report within 2 business days.
• Provide an initial assessment or triage outcome within 5 business days, including whether the issue is in scope and how we have classified it.
• Keep you informed of our progress toward validation and remediation, particularly for Critical and High issues.
• Treat your report as confidential and not share your personal information outside the teams who need it to investigate, unless required by law.
• Offer public recognition for validated, responsibly reported vulnerabilities, if you would like to be credited.

Confirmed vulnerabilities that involve PHI or other sensitive patient data will be managed under our Incident Response Plan, including root-cause analysis, containment, and corrective actions. As a HIPAA Business Associate, we notify affected covered entities of a breach involving unsecured PHI without unreasonable delay and no later than 30 calendar days from discovery, or earlier if required by contract.

Safe Harbor for Security Researchers

Linear Health strongly supports responsible security research. If you make a good-faith effort to comply with this policy when conducting security research, we consider your activities to be authorized and will not pursue legal action.

Specifically, provided that you:

• Only test in-scope systems as defined in this policy
• Avoid actions that degrade service, destroy data, or impact other users' experience
• Limit data access to the minimum necessary to demonstrate a vulnerability
• Immediately stop testing and notify us if you encounter PHI or other sensitive patient data, and promptly delete any copies after sharing necessary details with us
• Do not attempt to exfiltrate, manipulate, or retain PHI or other confidential information
• Do not exploit a vulnerability beyond the extent needed to demonstrate its existence
• Comply with all applicable laws

Linear Health will:

• Not initiate or support legal action against you for security research activities that are consistent with this policy.
• Not refer your compliant research activities to law enforcement as malicious conduct.
• Work with you in good faith to understand and remediate validated issues.

If legal action is initiated by a third party against you in connection with activities conducted under this policy, and you have complied with this policy, we will take appropriate steps to make it known that your actions were conducted in good faith and with our authorization.

Guidelines for Researchers

To help protect our patients and customers, we ask that you follow these guidelines when testing and reporting:

• Do not intentionally access, modify, or delete data belonging to other users or patients.
• Do not attempt to view more data than is necessary to demonstrate a vulnerability.
• Use test accounts and non-production data whenever possible.
• Do not attempt to disrupt our services, degrade performance, or impact availability.
• Do not use automated scanners or tools in a way that may generate excessive traffic or deny service.
• Do not publicly disclose details of any vulnerability until we have had a reasonable opportunity to investigate and remediate, typically 90 days from acknowledgment unless otherwise agreed.
• Communicate vulnerability details only through the official reporting channel (security@linear.health).

Governance and Updates

This policy is reviewed at least annually and after significant changes to our systems, threat landscape, or regulatory obligations. We may update this policy from time to time; the most current version will always be available at linear.health, and material changes may be communicated to customers through appropriate channels.