Security & Responsible Disclosure

How to report

• Web form: claimcure.health/security/report — no account required, optional email for follow-up.
• Email: [email protected] — PGP not currently available.
• Machine-readable: our /.well-known/security.txt points here.

In scope

• Our production web application at claimcure.health and its subdomains we operate.
• The business portal at /business/*.
• The public API endpoints under /api/* (excluding internal admin routes).
• Our email pipelines (nurture, audit confirmation, disclosure).
• Authentication, authorization, and session handling.
• PHI handling — upload, retention, deletion, audit logging.
• Payment flow (Stripe Checkout integration — we do not store card data ourselves, so issues there are typically Stripe-scope).

Out of scope

• Third-party services we consume (Cloudflare, AWS, SendGrid, Stripe, Anthropic) — report to those vendors directly.
• Denial-of-service, volumetric, or social-engineering attacks.
• Automated scanner output without a demonstrated impact path.
• Missing security headers on non-authenticated static endpoints where the header does not materially reduce risk.
• Reports that require physical access, a rooted device, or self-XSS.
• Email spoofing issues rooted in SPF/DKIM/DMARC on third-party senders we do not control.

What we commit to

• Acknowledge your report within 3 business days (usually same-day once the email reaches us).
• Triage and share a timeline estimate within 7 business days.
• Keep you updated on progress for any non-trivial issue.
• Credit you (if you want) on a public acknowledgements page after remediation ships.
• Never take legal action against good-faith researchers who follow this policy.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your work authorized, will not pursue or support legal action against you, and will help defend you from any third-party action resulting from your report. We also ask that you:

• Give us reasonable time to investigate and remediate before public disclosure.
• Do not access, modify, or destroy data beyond what is necessary to demonstrate the issue.
• Do not use automated tooling at a rate that would degrade service for others.
• Do not attempt to extract real user PHI — use test records you create yourself.

No monetary bounty at this time

We are a small self-funded team and do not offer cash bounties yet. We do offer public acknowledgement (opt-in) and a sincere thank-you. If that changes, we will update this page.