Twin Health Responsible Disclosure Policy
Last Updated: December 2025
Our Commitment:
Twin Health recognizes the important role security researchers play in helping to promote secure design practices and security risk mitigation within the medical industry and the healthcare ecosystem. We value the work done by security researchers and encourage proactive engagement with us on discovered vulnerabilities and disclosure in a coordinated and responsible manner. This document sets out both our expectations of researchers conducting security research on Twins systems.
Twin welcomes feedback from security researchers and the public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our company's assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.
Guidelines:
You are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or attempt to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, the expectation is that you will not exploit the vulnerability beyond the steps needed to demonstrate your proof-of-concept.
If you wish to take part in Twin Health’s Vulnerability Disclosure Program, you are expected to follow these guidelines:
- Cause no harm. Any exfiltration or downloading of Twin Health’s data, disclosure of confidential information, and/or disrupting our business are all outside the scope of this program and outside any protections it affords from legal recourse.
- Requesting any form of payment in return for destruction of Twin Health’s data will result in you being viewed and treated as a threat rather than a participant in our program.
Twin Health supports good-faith security research. If you follow these guidelines, we will not take legal action against you or request law enforcement involvement.
How To Report:
If you believe you’ve found a security or privacy issue that could affect Twin Health report it to us via responsibledisclosure@twinhealth.com
1- Include enough details for our team to reproduce and understand the issue including:
- A description of the vulnerability.
- A proof-of-concept code.
- Step-by-step instructions to reproduce the issue.
- Suggested mitigation or remediation actions as appropriate.
- Provide your goal of the disclosure or any intentions for public disclosure.
2- Twin Health will:
- Respond to your report promptly, and work with you to understand and validate your report.
- Strive to keep you informed about the progress of a vulnerability as it is processed.
- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
Recognition and Rewards:
Twin may offer public recognition or a monetary reward for valid, high-impact findings that help improve our security. Reward amounts depend on the severity, impact, and quality of your report.
In Scope:
Reports about the following are generally eligible for review:
- Twin Health web, mobile applications, and Infrastructure.
- Systems and APIs under *.twinhealth.com
- Authentication, authorization, or data protection flaws
Out of Scope:
We do not accept reports related to:
- Third-party platforms or vendors
- Social engineering or phishing
- Denial-of-service or spam testing
- UI/UX or content-only issues
- Testing on demo or non-production systems
Thank you, we appreciate the time and effort you put into researching and responsibly disclosing findings.
