Vulnerability Disclosure Policy
This Vulnerability Disclosure Policy outlines the processes for reporting vulnerabilities, including those that may affect our sensitive data and intellectual property.
About the Policy
At PathAI, the security and confidentiality of our data and intellectual property are of paramount importance. We are responsible for safeguarding not only Protected Health Information (PHI) and Personally Identifiable Information (PII), but also our proprietary technologies, including machine learning models and other intellectual property (IP). To maintain high standards of security and compliance, we welcome responsible vulnerability disclosures from security researchers, partners, and the general public.
PathAI believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good between PathAI and Security Researchers. Together, our vigilant expertise promotes the continued security and privacy of PathAI customers, products, and services.
This Vulnerability Disclosure Policy outlines the processes for reporting vulnerabilities, including those that may affect our sensitive data and intellectual property. This policy applies to all systems, technologies, and intellectual property owned, operated, or maintained by PathAI.
PathAI accepts vulnerability reports from all sources such as independent security researchers, industry partners, vendors, customers, and consultants. PathAI defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability, or confidentiality of our products and services.
- We will respond to vulnerability reports promptly.
- We will not take legal action against those who report vulnerabilities in good faith and in accordance with this policy
- We will work with researchers to validate, address, and remediate vulnerabilities in a timely manner.
- We will protect the confidentiality of sensitive data (PHI, PII) and intellectual property during the reporting and remediation process.
- We will acknowledge the efforts of researchers, subject to legal and policy constraints.
Guidelines for Responsible Disclosure
- Do not access, modify, or exfiltrate any PHI, PII, or proprietary information (such as machine learning models or training data)
- Do not publicly disclose the vulnerability before PathAI has had sufficient time to mitigate the issue.
- Do not use vulnerability discovery methods that disrupt or degrade our services (e.g., Denial of Service or brute-force attacks).
- Do make every effort to avoid violating the privacy of our customers or the confidentiality of our intellectual property during your testing.
- Do focus on demonstrating the vulnerability’s existence through a minimal proof of concept (PoC) that is necessary to identify the issue without attempting to access or extract any sensitive data.
- Do include sufficient details in your report, such as the vulnerability description, potential impact, steps to reproduce, and any evidence that may assist in validation.
Exclusions
The following activities are explicitly prohibited under this policy:
- Accessing or attempting to exfiltrate data: Do not access or retrieve PHI, PII, or proprietary data during testing.
- Attacks that exploit intellectual property: Including reverse-engineering, extracting, or tampering with machine learning models or datasets.
- Social engineering attacks: Targeting our employees, contractors, or partners (e.g., phishing, pretexting).
- Denial of Service (DoS): Actions that degrade, disrupt, or inhibit our services.
- Unauthorized access to or modification of PHI, PII, or IP: Including unauthorized access to training datasets, machine learning models, or proprietary algorithms.
Legal Compliance
This policy does not authorize activities that violate applicable laws or regulations, including but not limited to:
- Health Insurance Portability and Accountability Act (HIPAA): For systems involving PHI.
- General Data Protection Regulation (GDPR): For systems involving PII.
- Intellectual Property Law: Including the unauthorized use or disclosure of proprietary technologies such as machine learning models.
Reporting a Vulnerability
PathAI recommends that security researchers share the details of any suspected vulnerabilities across any asset owned, controlled, or operated by PathAI (or that would reasonably impact the security of PathAI and our users) using the web form below. The PathAI Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution.