HealNote — Responsible Security Disclosure Policy

Last updated: April 2026

Our Commitment

HealNote operates a healthcare platform that processes sensitive patient medical records, consultation histories, prescriptions, and personal identification data for clinics and patients across Egypt. The security of this data is not a product feature — it is a legal and ethical obligation.

We welcome security researchers who act in good faith to identify and responsibly report vulnerabilities. This policy defines how to work with us when you discover a potential security issue.

What's In Scope

We want to hear about vulnerabilities affecting:

  • The HealNote patient mobile app (iOS and Android)
  • Authentication and session management
  • Patient data access controls and authorization
  • AI pipeline endpoints (intake form processing, consultation summaries, medical image analysis)
  • Infrastructure misconfigurations that could expose patient data

What's Out of Scope

The following are explicitly excluded:

  • Social engineering, phishing, or any attacks targeting HealNote employees or users
  • Denial of service attacks or any testing that degrades service for real patients or clinics
  • Physical security of offices or hardware
  • Rate limiting on public endpoints without a working proof of concept demonstrating real impact
  • Vulnerabilities in third-party services we use (Supabase, AWS, HuggingFace, Anthropic) — report those directly to the respective vendors
  • AI model behavior, prompt responses, or model outputs — these are not security vulnerabilities under this policy
  • Clickjacking on pages with no sensitive actions
  • Missing security headers without a demonstrated exploit path
  • SSL/TLS configuration issues without a working proof of concept

Special Rules for Patient Data

HealNote processes protected health information (PHI) governed by Egyptian Law 151/2020 on Personal Data Protection.

If your research leads you to access, view, or retrieve any patient data — including names, diagnoses, prescriptions, national IDs, consultation records, or any other personal health information — you must:

  • Stop immediately upon realizing what you have accessed
  • Do not download, copy, retain, or transmit any patient data under any circumstances
  • Report the access as part of your vulnerability disclosure, including exactly what data was accessed, how, and when
  • Delete any inadvertently collected data from all systems and confirm deletion in your report

Failure to follow these rules removes safe harbor protections regardless of whether the underlying vulnerability was reported in good faith.

How to Submit a Report

Email: security@healnote.io

Your report should include:

  • Type and severity of the vulnerability
  • The specific endpoint, page, or component affected
  • Step-by-step reproduction instructions
  • Proof of concept (screenshots, screen recordings, request/response logs)
  • What data you were able to access, if any
  • Your recommended fix, if you have one

Please submit one vulnerability per report. If you discover multiple issues, send separate emails.

What to Expect From Us

  • Acknowledgment within 3 business days of receiving your report
  • We will validate the vulnerability and confirm whether it is accepted or rejected within 10 business days
  • We will notify you when the vulnerability has been fixed
  • We will credit you in any public disclosure, with your permission
  • We will not take legal action against researchers acting in good faith under this policy

What We Ask From You

  • Do not access, retain, or share patient data under any circumstances
  • Do not disrupt service for real patients or clinic users — test only against your own test accounts
  • Do not publicly disclose the vulnerability until we have confirmed it is fixed, or until 90 days have passed from your initial report, whichever comes first
  • Do not use the vulnerability for any purpose beyond demonstrating that it exists
  • Comply with all applicable laws, including Egyptian Law 151/2020

Regarding AI Features

HealNote uses AI models for clinical decision support. If you discover that our AI pipeline can be manipulated to produce harmful medical outputs, generate incorrect diagnoses, or be prompted to bypass safety controls, please report these to safety@healnote.io separately from infrastructure vulnerabilities. Include enough detail to reproduce the behavior.

These are treated as safety issues, not security vulnerabilities, and follow a separate review process.

Bug Bounty

HealNote does not currently operate a paid bug bounty program. We cannot offer financial rewards at this stage. We will publicly credit researchers with their permission and provide a letter of acknowledgment on request, which some researchers use for professional portfolios.

Safe Harbor

If you act in good faith under this policy, we will not pursue legal action against you for your research. Safe harbor applies only when: you did not access or retain patient data beyond what was minimally required to demonstrate the vulnerability, you reported the issue promptly, and you did not disclose the vulnerability publicly before we confirmed remediation.

Changes to This Policy

We may update this policy at any time. Changes take effect from the date of publication. Vulnerabilities reported before a policy change remain subject to the policy in effect at the time of submission.

Questions?

Contact security@healnote.io before beginning any research if you are unsure whether your approach is covered by this policy.

Back to Home