Public

Security & Vulnerability Disclosure

How to report a security vulnerability to MetricHealth, and our commitment to researchers

Metric Health takes the security and privacy of patient data seriously. If you believe you've found a security vulnerability in one of our products or services, we want to hear from you and we'll work with you to resolve it quickly.

How to report

Email security@mymetrichealth.com with:

  • The affected product, URL, or asset
  • Steps to reproduce the issue
  • A description of the potential impact
  • Any supporting proof-of-concept (screenshots, requests, or a short script)

Please do not publicly disclose a vulnerability before we've had a chance to investigate and remediate it.

Our commitment to you (safe harbor)

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized. We will not pursue or support legal action against you for accessing our systems in the course of that research, and we'll work with you to understand and resolve the issue promptly.

This protection does not apply to activity that falls outside the scope below, or that intentionally accesses, retains, or exfiltrates patient data beyond the minimum needed to demonstrate a vulnerability.

What's in scope

  • Our clinician and clinic web application and API at metrichealth.app
  • Our patient mobile apps (iOS and Android)
  • Our public marketing and help sites (mymetrichealth.com, help.mymetrichealth.com)

What's out of scope

  • Third-party services and vendors we rely on — please report those directly to the respective provider
  • Non-production, staging, and test environments
  • Social engineering, phishing, or physical attacks against our staff, customers, or offices
  • Denial-of-service (DoS/DDoS) and other volumetric or resource-exhaustion testing
  • Any activity that accesses, modifies, or exfiltrates real patient or customer data beyond the minimum proof needed, or automated scanning that degrades our service

What to expect

StageOur target
Acknowledge your reportWithin 2 business days
Initial triage and severity assessmentWithin 5 business days
Fix — critical / high severity30 / 60 days
Fix — medium / low severity90 days / best-effort
Coordinated public disclosureBy mutual agreement, after a fix is deployed

We assess severity using CVSS and our internal risk model. Findings that could affect patient health information also trigger our incident-response and breach-assessment process.

Recognition

With your consent, we're happy to credit valid, first-time reports in a security acknowledgements list. We don't currently offer monetary rewards, though we may introduce a paid bug-bounty program in the future.

Last updated: 2026-07-03.