Rhapsody supports the responsible disclosure of security vulnerabilities, as it is one of our top priorities to protect the privacy of our customer and patient data.
We ask that if external parties find any sensitive information, potential vulnerabilities and/or weaknesses that they please help by disclosing it to us in a responsible manner.
We request that parties do not engage in any of the following:
We may ask parties to destroy any information they hold that does not belong to them, after we have confirmed the vulnerability. This includes Protected Health Information (PHI) or Personally Identifiable Information (PII), and any other information we deem a threat to the security of our customers.
Since we deal with PHI and PII we require that any such information is transmitted and/or stored securely. We request that details of any PHI/PII or the disclosed vulnerability not be disclosed to any third parties or to the public to the extent legally possible.
We do not currently have a paid bug bounty program.
Reports submitted to Rhapsody in good faith, and pursuant to this process, will result in Rhapsody's commitment to the following: