top of page

Vulnerability Disclosure

& Bug Bounty Program 

 

We take the security of our systems and customer data seriously. If you believe you’ve found a security vulnerability in any system owned or operated by TeleRare Health, we appreciate you letting us know so we can investigate and fix it.

This page explains how to report security issues responsibly, what systems are in scope, and (for qualifying reports) how we may provide a modest reward.

​

​

How to Report a Vulnerability

 

Please email your report to: security@telerarehealth.com
Subject line: Security Vulnerability Report

​

To help us validate and fix issues quickly, include as much of the following as possible:

  1. Summary (one or two sentences describing the issue)

  2. Affected asset(s) (URL, endpoint, app version, environment, etc.)

  3. Steps to reproduce (clear, numbered steps)

  4. Impact (what an attacker could achieve and who would be affected)

  5. Proof of concept (screenshots, sample requests/responses, logs—redact sensitive data)

  6. Any known prerequisites (account role, permissions, configuration, etc.)

  7. Your contact info (so we can follow up)

 

Important: Please do not include sensitive personal data in your report (including PHI). If you unexpectedly encounter sensitive data, stop testing immediately and notify us with minimal details necessary to locate the issue.

​

​

In-Scope Systems

 

This program applies to security vulnerabilities in systems owned or operated by TeleRare Health, including production web applications and APIs hosted under:

​

  • telerare.com

  • telerarehealth.com

 

If you’re unsure whether something is in scope, email us and ask first.

​

​

Out of Scope (Not Eligible)

 

We’re happy to receive reports about anything, but we generally won’t award bounties for:

  • Denial of Service (DoS/DDoS) or any activity that disrupts availability

  • Social engineering (phishing, vishing, smishing), physical attacks, or threats/extortion

  • Automated scanning that causes disruption, excessive traffic, or impacts other users

  • Issues in third-party services we don’t control (e.g., upstream vendors), unless you can demonstrate a direct, exploitable impact on our systems

  • Non-security bugs (UI issues, feature requests, performance improvements without a security impact)

  • Best-practice findings without a clear exploit path (e.g., missing headers) unless they materially increase risk

  • Reports that are not reproducible, lack sufficient detail, or do not demonstrate a real security impact

  • Vulnerabilities requiring physical device access (unless relevant and clearly in scope)

​

​

Rules of Engagement (Good-Faith Testing)

 

We welcome responsible research. To stay within program rules, please:

  • Test only against in-scope assets

  • Use your own accounts (or test accounts) and avoid accessing data that isn’t yours

  • Make a good-faith effort to avoid privacy violations, data destruction, or service disruption

  • Do not modify or delete data, exfiltrate data, or attempt persistence

  • Stop testing and report immediately if you believe you may have accessed sensitive information

  • Give us a reasonable opportunity to investigate and remediate before any public disclosure

​

​

Safe Harbor

 

If you follow this policy and act in good faith, we consider your research authorized under this program, and we will not pursue legal action for accidental, good-faith violations of this policy (for example, inadvertently viewing a small amount of data while demonstrating an issue), provided you:

  • Stop promptly,

  • Report promptly, and

  • Do not share, store, or misuse any data.

This safe harbor does not apply to actions that are malicious, disruptive, extortive, or outside the scope and rules described above.

​

​

Bug Bounty Rewards

 

We offer a small reward for the first valid, reproducible report of an in-scope vulnerability that we confirm.

Reward amounts (USD):

  • Critical: $100

  • High: $50

  • Medium: $30

  • Low / Informational: Thank you (no bounty, but we still appreciate the report)

Severity is determined by TeleRare Health at our discretion, based on impact and exploitability (we may reference common standards such as CVSS).

Notes:

  • Bounties are generally paid after we confirm the issue and may be paid after remediation/verification.

  • Only the first reporter of a unique issue is eligible for a bounty.

  • Duplicate reports, previously known issues, or issues already under remediation are not eligible.

  • We reserve the right to decline a bounty if a report violates this policy or applicable laws.

​

​

What Happens After You Report

 

We aim to respond quickly, but we’re a small team.

Typical process:

  1. Acknowledgement of receipt

  2. Triage (confirming reproducibility and scope)

  3. Severity assessment

  4. Remediation planning and fix

  5. Verification and closure

  6. Bounty decision/payment (if eligible)

We may request additional details or ask you to re-test a fix.

​

​

Disclosure

 

Please keep vulnerability details confidential until we confirm remediation (or until we agree in writing on a disclosure timeline). Public disclosure without coordination may make a report ineligible for a bounty.

​

​

Contact

 

Security reporting email: security@telerarehealth.com
 

If you want to share sensitive technical details securely, we can provide an encryption key upon request.

​

​

Optional: “Copy/Paste” Report Template (for researchers)

 

 

Subject: Security Vulnerability Report – [short title]
Affected asset: [URL/app/API/environment]
Summary: [one paragraph]
Steps to reproduce:


  2. Impact: [what could happen]
    Proof / evidence: [screenshots/requests—redacted]
    Suggested fix (optional): …
    Your name/handle: …
    Preferred contact: …

bottom of page