Back to Trust Center

Responsible disclosure

Scribeable handles protected health information for clinicians and their patients. We treat security research as a partnership: report a vulnerability in good faith and we will respond quickly, fix the issue, and credit you publicly if you want.

Reporting a vulnerability

Email findings to [email protected]. We acknowledge every report within three business days. If your finding is high-severity or actively exploitable, mark the subject line URGENT and we'll triage out-of-hours.

For encrypted reports, request our PGP public key by email and we'll send it back same-day. Sensitive details (PII, exploit chains) should be encrypted; metadata-only reports can go in the clear.

Safe harbor

We will not pursue civil action or initiate a complaint to law enforcement against researchers who, in good faith, comply with this policy. If your research follows the rules below, we consider it authorized testing for the purposes of the Computer Fraud and Abuse Act and similar statutes.

We cannot waive third-party rights. If your research touches a Scribeable subprocessor or a customer's data, you remain subject to that party's terms — please contact us first if you're unsure.

Scope

In scope

  • Anything under *.scribeable.ai
  • The Scribeable iOS application (App Store)
  • The Scribeable browser extension (Chrome Web Store)
  • Authentication and session handling
  • PHI handling, encryption envelopes, and key rotation

Out of scope

  • Denial-of-service or volumetric testing
  • Social engineering of staff or customers
  • Physical attacks against our infrastructure
  • Findings against third-party subprocessors
  • Customer EHR systems, networks, or data
  • Reports requiring root or jailbroken devices

What to include

  • Clear reproduction steps with the affected URL or endpoint
  • Expected vs. actual behavior, and the impact you observed
  • Screenshots, request/response snippets, or a short proof-of-concept
  • Suggested mitigation, if you have one
  • Your name or handle, if you'd like public credit on resolution

Please do not include real PHI in your report. If you discover a way to access PHI, stop immediately, document the access path without retrieving records, and contact us — we will work with you to confirm the issue safely.

What to expect

3 business days — acknowledgment that we received your report and assigned a tracking ID.
Every 7 days — status update until the issue is closed.
On resolution — a summary of the fix, the deploy date, and public credit if you requested it.