Responsible Disclosure and Vulnerability Reporting Policy

Overview

Linear Health Inc. takes the security of our platform and the protection of patient data seriously. We welcome responsible security research and value the contributions of the security community in helping us maintain a secure environment. This policy describes how to report security vulnerabilities to us and what you can expect in return.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in any Linear Health system, application, or service, please report it to us at:

security@linear.health

Please include the following information in your report:

• A description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce the issue
• Any relevant screenshots or proof-of-concept code
• Your contact information for follow-up

Our Commitment

When you report a vulnerability to us, we commit to the following:

• We will acknowledge receipt of your report within 2 business days.
• We will provide an initial assessment within 5 business days.
• We will keep you informed of our progress toward resolution.
• We will not pursue legal action against researchers who report vulnerabilities in good faith and in accordance with this policy.

Scope

This policy applies to all Linear Health systems, applications, APIs, and web properties.

The following activities are explicitly out of scope:

• Social engineering or phishing of Linear Health employees or customers
• Denial-of-service testing
• Physical security testing
• Any testing that could impact the availability or integrity of production systems containing patient data

Guidelines for Researchers

We ask that security researchers:

• Do not access, modify, or delete data belonging to other users
• Do not degrade the performance or availability of our services
• Do not disclose vulnerability details publicly until we have had reasonable time to address the issue
• Comply with all applicable laws