Security & Vulnerability Disclosure
How to report a security vulnerability to MetricHealth, and our commitment to researchers
Metric Health takes the security and privacy of patient data seriously. If you believe you've found a security vulnerability in one of our products or services, we want to hear from you and we'll work with you to resolve it quickly.
How to report
Email security@mymetrichealth.com with:
- The affected product, URL, or asset
- Steps to reproduce the issue
- A description of the potential impact
- Any supporting proof-of-concept (screenshots, requests, or a short script)
Please do not publicly disclose a vulnerability before we've had a chance to investigate and remediate it.
Our commitment to you (safe harbor)
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized. We will not pursue or support legal action against you for accessing our systems in the course of that research, and we'll work with you to understand and resolve the issue promptly.
This protection does not apply to activity that falls outside the scope below, or that intentionally accesses, retains, or exfiltrates patient data beyond the minimum needed to demonstrate a vulnerability.
What's in scope
- Our clinician and clinic web application and API at metrichealth.app
- Our patient mobile apps (iOS and Android)
- Our public marketing and help sites (mymetrichealth.com, help.mymetrichealth.com)
What's out of scope
- Third-party services and vendors we rely on — please report those directly to the respective provider
- Non-production, staging, and test environments
- Social engineering, phishing, or physical attacks against our staff, customers, or offices
- Denial-of-service (DoS/DDoS) and other volumetric or resource-exhaustion testing
- Any activity that accesses, modifies, or exfiltrates real patient or customer data beyond the minimum proof needed, or automated scanning that degrades our service
What to expect
| Stage | Our target |
|---|---|
| Acknowledge your report | Within 2 business days |
| Initial triage and severity assessment | Within 5 business days |
| Fix — critical / high severity | 30 / 60 days |
| Fix — medium / low severity | 90 days / best-effort |
| Coordinated public disclosure | By mutual agreement, after a fix is deployed |
We assess severity using CVSS and our internal risk model. Findings that could affect patient health information also trigger our incident-response and breach-assessment process.
Recognition
With your consent, we're happy to credit valid, first-time reports in a security acknowledgements list. We don't currently offer monetary rewards, though we may introduce a paid bug-bounty program in the future.
Last updated: 2026-07-03.