Responsible Disclosure Policy

Effective Date: Mar 6, 2026

Reporting a vulnerability

If you believe you've found a security vulnerability in an Insight Health product or service, we want to hear from you. Please email your report to security@insighthealth.ai.

Include as much of the following as possible:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce the issue.
  • The affected URL, endpoint, or service.
  • Any supporting evidence (screenshots, logs, proof-of-concept code).

What to expect

  • Acknowledgment within 3 business days. We will confirm receipt of your report.
  • Triage within 10 business days. We will assess severity, determine scope, and provide an initial response.
  • Ongoing communication. We will keep you informed of our progress toward remediation.
  • Credit (optional). If you'd like, we will acknowledge your contribution on this page once the issue is resolved. Let us know your preferred name or handle.

Scope

The following assets are in scope for security research:

Asset Type
insighthealth.ai Web application
auth.insighthealth.ai Authentication service
app.insighthealth.ai Application platform
api.insighthealth.ai API

Out of scope

The following do not qualify as reportable vulnerabilities:

  • Reports from automated scanners without manual verification or demonstrated impact.
  • Email auto-linking behavior (e.g., email clients rendering user-provided text as clickable hyperlinks).
  • Social engineering, phishing, or physical attacks against Insight Health employees or users.
  • Denial-of-service (DoS/DDoS) attacks or volumetric testing.
  • Content injection without demonstrated security impact (e.g., entering text into input fields that is later displayed).
  • Missing security headers that do not lead to a demonstrated exploit.
  • Self-XSS (where the victim must paste code into their own browser console).
  • Rate limiting or brute-force issues on non-authentication endpoints.
  • Vulnerabilities in third-party services, libraries, or upstream providers unless they directly compromise Insight Health systems.
  • Reports that require unlikely or impractical user interaction.
  • SPF/DKIM/DMARC configuration suggestions without demonstrated spoofing impact.

Rules of engagement

  • Do not access, modify, or delete data belonging to other users.
  • Do not disrupt our services or degrade the experience for our users.
  • Do not test against production patient data. Insight Health is a HIPAA-compliant, SOC 2 Type II certified healthcare platform. Any interaction with real patient data is strictly prohibited.
  • Do not publicly disclose a vulnerability before we've had a reasonable opportunity to address it.
  • Act in good faith and within the law.

Bug bounty

Insight Health does not currently operate a paid bug bounty program. We appreciate responsible disclosure from the security community and are happy to provide public acknowledgment for valid, in-scope findings.

Our commitment to security

Insight Health is SOC 2 Type II certified and HIPAA compliant. We maintain encrypted communications, third-party penetration testing, and industry-leading privacy controls across our platform. For more details, visit our Trust & Safety page or our Trust Center.