Skip to content
Medonix

Trust Center · Vulnerability Disclosure

Responsible Disclosure Policy.

Medonix runs a coordinated vulnerability disclosure program. Security researchers acting in good faith may test in-scope assets, report findings, and operate under safe-harbor terms. We respond within two business days and remediate confirmed vulnerabilities promptly.

Effective: January 1, 2026

Questions? hello@medonix.io

1. How to report a vulnerability

Email security@medonix.io with the following:

  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce, with proof-of-concept code or screenshots where helpful.
  • The affected URL, endpoint, or application.
  • Your name (or pseudonym if preferred) and a way to contact you for follow-up.

Please encrypt your report using our PGP public key (available from the same email address on request). We acknowledge receipt within two business days.

2. Scope

In scope:

  • https://medonix.io and all subdomains under medonix.io
  • The Medonix customer dashboard and AI Suite (app.medonix.io and equivalents)
  • Public APIs documented at /platform/integrations/
  • Mobile applications (iOS and Android) published under the Medonix developer account

Out of scope:

  • Third-party services (e.g., Cloudflare, AWS, vendor-managed components). Please report to those vendors directly.
  • Customer-specific deployments operated outside the Medonix domain.
  • Social-engineering attacks against Medonix personnel or customers.
  • Physical attacks against Medonix facilities or personnel.
  • Denial-of-service testing. Please do not run automated load against production.
  • Findings that require physical access to a victim's device.

3. Safe harbor

Medonix will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith security research that complies with this policy. Specifically, we authorize you to:

  • Test only against in-scope assets, using test accounts you have created.
  • Avoid privacy violations, destruction of data, and disruption of services.
  • Use only the minimum data necessary to demonstrate the vulnerability.
  • Stop testing and report immediately if you encounter PHI or any sensitive customer data.
  • Report findings to us before publicly disclosing.

Activities outside this policy may be considered unauthorized access under the Computer Fraud and Abuse Act (CFAA) or analogous state and international laws.

4. Our commitments

  • Acknowledge receipt of your report within two business days.
  • Provide an initial severity assessment and triage status within five business days.
  • Keep you informed of remediation progress.
  • Credit you (with your consent) in our acknowledgements once the issue is remediated.
  • Not pursue legal action for good-faith research that complies with this policy.

5. Recognition and rewards

Medonix maintains a security acknowledgements page recognizing researchers who have made meaningful contributions to our security posture. We do not currently operate a paid bounty program, but rewards for high-impact reports are evaluated case-by-case and have ranged from recognition to product credit to monetary awards depending on severity, impact, and report quality.