Responsible Disclosure

Last updated: March 3, 2026

The security of our platform and the protection of patient data are fundamental to everything we do at Oasys. We welcome reports of potential vulnerabilities from security researchers acting in good faith and in compliance with this policy.

Reporting a Vulnerability

If you've discovered a security vulnerability please send an email to security@oasys.health.

Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt within 2 business days. For particularly sensitive reports, we may establish a secure communication channel upon request.

What to Include in Your Report

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected URL(s), endpoint(s), or component(s)
  • Any proof-of-concept code or screenshots (redacted of any sensitive data — do not include patient data, identifiers, or PHI of any kind)
  • Your suggested severity assessment (optional)

Scope

In Scope

Only the publicly accessible, unauthenticated surfaces of oasys.health and its subdomains are in scope for good-faith security research conducted in accordance with this policy. This includes static marketing pages, public API endpoints that do not require authentication, and DNS/TLS configurations for these domains.

If during your research you encounter any authentication gate, login prompt, session requirement, or access control boundary, you have reached the edge of the authorized scope. Do not attempt to bypass, circumvent, or test beyond that boundary. Stop and, if the finding is relevant (e.g., an authentication gate is missing where one should exist), report it.

This program covers only public-facing marketing and informational surfaces. Security testing of systems that process, store, or transmit patient data or ePHI is conducted exclusively by vetted third-party security firms engaged under contract and a HIPAA Business Associate Agreement (BAA), with controlled scope and environments. This disclosure program is not a substitute for, and does not replace, those engagements.

We’re Especially Interested In

  • Cross-site scripting (XSS) on public pages
  • Open redirect vulnerabilities
  • Security header misconfigurations (missing CSP, HSTS, etc.)
  • Exposed sensitive files or endpoints (.env, debug routes, stack traces)
  • TLS/SSL configuration weaknesses
  • CORS misconfigurations
  • Subdomain takeover vulnerabilities
  • Information leakage in public responses
  • DNS misconfigurations

Out of Scope

Important: Oasys is a healthcare platform that processes protected health information (PHI) subject to HIPAA. Any system, endpoint, or interface that requires authentication, or that processes, stores, or transmits patient data or ePHI, is strictly out of scope. Do not attempt to access, test, or interact with these systems under any circumstances. Testing against out-of-scope systems is not authorized by this policy, is not covered by Safe Harbor, and may constitute a violation of federal law, including HIPAA.

  • Any authenticated system or endpoint (requires login or session token)
  • Any system that processes, stores, or transmits patient data or ePHI
  • Internal APIs, administrative dashboards, or staff-facing tools
  • Third-party services, infrastructure providers, and integrated platforms—even where they support Oasys systems (including but not limited to cloud providers, payment processors, e-prescribing services, and partner APIs)
  • Automated scanning or fuzzing against production systems (see note below)
  • Denial of service or resource exhaustion testing
  • Social engineering or phishing of staff or users
  • Physical security testing
  • Attacks requiring physical access to devices

Non-Qualifying Issues

  • Theoretical attacks without proof of concept
  • Reports from automated scanners without manual validation
  • Missing best practices that do not represent a concrete vulnerability
  • Clickjacking on pages with no state-changing actions
  • Rate limiting on non-authentication endpoints
  • SPF/DKIM/DMARC configuration suggestions
  • Software version disclosure (unless a known CVE applies)

Rules of Engagement

Please Do

  • Report vulnerabilities promptly after discovery
  • Provide sufficient detail for us to reproduce and verify the issue
  • Test only against publicly accessible, unauthenticated surfaces listed in the Scope section
  • Make a good-faith effort to avoid disruption to our services and our users
  • Keep vulnerability details confidential until coordinated disclosure (see “What to Expect” below)
  • Use exploits only to the extent necessary to confirm a vulnerability’s presence — do not use exploits to exfiltrate data, establish persistent access, or pivot to other systems

Please Do Not

  • Access, download, copy, or store any patient data or PHI — if you encounter PHI, follow the protocol in the Safe Harbor section immediately
  • Attempt to access other users’ accounts or data
  • Publicly disclose a vulnerability before coordinated disclosure (see “What to Expect”)
  • Modify or delete data that does not belong to you
  • Introduce malicious software of any kind

Safe Harbor

If you conduct security research in good faith and in compliance with this policy, we will consider your research to be authorized. We will not initiate or recommend legal action against you for authorized research conducted under this policy.

Specifically, we will not pursue civil action, and we will not refer your conduct for criminal prosecution under the Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Digital Millennium Copyright Act (17 U.S.C. § 1201), or equivalent state laws, against researchers who act in good faith and in full compliance with this policy. This commitment is consistent with the U.S. Department of Justice’s 2022 policy directing federal prosecutors to decline prosecution of good-faith security research under the CFAA.

Good faith includes, but is not limited to: following the Rules of Engagement, respecting the scope boundaries defined above, ceasing testing and reporting immediately upon encountering any patient data or PHI, and conducting research solely for the purpose of testing, investigation, or correction of a security flaw in a manner designed to avoid harm to individuals or the public.

This policy applies solely to legal claims under Oasys’s control and does not authorize research on third-party systems. If a third party initiates legal action for research conducted in compliance with this policy, we will make reasonable efforts to clarify that your research was authorized by Oasys. However, we cannot guarantee a third party will accept our clarification, and researchers remain responsible for ensuring testing does not extend to third-party systems.

Research not conducted in good faith is not covered by this Safe Harbor. Examples of conduct that is not good-faith research include: research conducted for the purpose of extortion, ransom, or payment demands; intentional access to or exfiltration of patient data; deliberate disruption of services; and research intended to cause harm to individuals, patients, or the public.

If You Encounter Patient Data

Critical — HIPAA-Protected Information: Oasys processes electronic protected health information (ePHI) subject to the Health Insurance Portability and Accountability Act (HIPAA). Any unauthorized access to, acquisition of, or disclosure of PHI is a potential HIPAA incident regardless of intent. The following protocol is designed to protect patients, protect you as a researcher, and provide Oasys with the information necessary to conduct its required HIPAA risk assessment.

If you inadvertently encounter any patient data, protected health information (PHI), or personally identifiable information (PII) during your research, you must:

  • Stop all testing immediately
  • Do not save, copy, screenshot, log, transmit, or share the data in any form
  • Report the encounter to security@oasys.health immediately — describe only the general location and nature of the potential exposure (e.g., "endpoint X returned what appeared to be patient records"); do not include any patient data, identifiers, or screenshots containing patient information in your report
  • Delete any local copies, logs, browser history, cached responses, or artifacts that may contain the data
  • Provide a written attestation (email is sufficient) confirming that all copies of the data have been destroyed and that the data was not shared with, transmitted to, or accessed by any third party

Our security team will respond promptly and may establish a secure communication channel for follow-up discussion. We will work with you to understand the scope of the encounter and confirm data deletion. Oasys will use the information gathered through this protocol as part of its formal HIPAA four-factor risk assessment and will make all breach and notification decisions in accordance with applicable law — adherence to this protocol alone does not predetermine the outcome of that assessment.

Good-faith accidental exposure that is immediately reported through this process, where you follow every step of this protocol, will not disqualify your report and will not result in legal action by Oasys. We designed this protocol to support HIPAA’s mitigation requirements and help minimize risk to patients and protect their information. Whether a particular incident requires breach notification will be determined based on a formal HIPAA risk assessment.

Report Handling & Confidentiality

Vulnerability reports are treated as confidential and are accessible only to personnel directly involved in triage and remediation. We will not share your identity or contact information without your explicit consent.

Legal compulsion: In the event that Oasys is legally compelled by a court order, regulatory investigation (including by the HHS Office for Civil Rights), or law enforcement subpoena to disclose information about a report or the identity of a researcher, we will provide you with advance notice of such compulsion to the extent permitted by law, so that you may seek legal remedies if you choose to do so.

Reports are retained in accordance with our information security and HIPAA compliance policies and applicable legal requirements.

What to Expect

We will acknowledge receipt of valid reports within 2 business days and work to remediate confirmed vulnerabilities in a timely manner, prioritized by severity. We will keep you informed of progress where feasible and notify you when the reported issue has been remediated.

Coordinated Disclosure

We ask that you do not publicly disclose details of any vulnerability until we have confirmed remediation and coordinated with you on the scope and timing of disclosure. We aim to complete remediation within 90 calendar days of acknowledging your report.

If remediation is not complete within 90 calendar days and we have not agreed in writing on an extended timeline with a specific target date, you may disclose the existence and general nature of the vulnerability, provided that you: (a) do not disclose technical details sufficient to enable exploitation, (b) do not disclose any patient data or PHI encountered during research, and (c) provide us with at least 14 calendar days written notice before disclosure. We will work with you in good faith to reach agreement and aim to avoid this scenario.

We reserve the right to request that certain technical details remain confidential where disclosure could compromise patient safety, expose sensitive system architecture, or create immediate risk of exploitation. We will explain the specific basis for any such request.

Researchers who publicly disclose vulnerability details without following the coordinated disclosure process above will forfeit eligibility for acknowledgment and Safe Harbor protections for that report.

Recognition

We value the contributions of security researchers who help protect our platform and our users. Researchers who submit valid reports in compliance with this policy may be acknowledged publicly at their request.

While not all reports will qualify for financial compensation, we offer rewards based on the severity and impact of the vulnerability. Eligibility is determined at our discretion.

Limitations

This policy does not create any legal obligation on Oasys beyond the specific commitments stated herein. Nothing in this policy constitutes a waiver of any legal rights or remedies, except as expressly stated in the Safe Harbor section. This policy does not create a duty to disclose any particular vulnerability to the public, nor does it create any employer-employee, contractor, or agency relationship between Oasys and any researcher.

Oasys reserves the right to modify this policy at any time. Changes will be reflected in the "Last updated" date at the top of this page. Continued submission of reports after a change constitutes acceptance of the updated policy. The version of this policy in effect at the time a report is submitted governs that report.

This policy is based on the disclose.io, RFC 9116, ISO/IEC 29147, CISA VDP guidance, and DOJ Framework for Vulnerability Disclosure Programs.

    Oasys raises $4M in seed funding to support better mental health outcomes at scale. Read the announcement