Back to home
Legal

Vulnerability Disclosure Policy

Effective date: May 26, 2026

Working Draft — Not Yet Counsel-Reviewed

This vulnerability disclosure policy is a working draft and has not yet been reviewed by counsel. The legal commitments below (including safe harbor) are intended in good faith but should not be relied upon as legally binding until ratified by attorney review. Final version will be published before any pilot launch.

1. Introduction

RevHive Health LLC ("RevHive," "we," "us," or "our") operates a software platform that helps independent outpatient physical therapy clinics recover outstanding patient balances through compliant, automated email and SMS outreach. As part of providing that service, we handle Protected Health Information (PHI) on behalf of clinics under Business Associate Agreements executed pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

RevHive welcomes good-faith security research and is committed to responsibly addressing vulnerabilities reported by independent researchers. This policy describes how to report vulnerabilities, what is in and out of scope, what activities are prohibited, and the safe-harbor commitments we extend to researchers who follow the rules set out below.

2. Scope

The following systems and services are in scope for this policy:

  • The revhivehealth.com domain and any subdomains operated by RevHive.
  • Patient-facing payment links served from the revhivehealth.com domain (used to view and settle outstanding balances). The full patient payment portal is still in development.
  • The authenticated clinic dashboard, including all user-facing features and administrative tooling exposed to clinic users.
  • Public APIs published by RevHive for use by clinic customers or their authorized integration partners.

The following are out of scope and should not be tested under this policy:

  • Third-party services that RevHive relies on, including but not limited to Amazon Web Services (AWS), Neon, Vercel, and Cloudflare. Vulnerabilities in those services should be reported to the respective vendor through that vendor's published disclosure program.
  • Self-hosted automation infrastructure (including any self-hosted n8n instance) operated by RevHive on its own network for internal workflows; testing this infrastructure is out of scope for the public program.
  • Any system, network, or device that is not owned or operated by RevHive Health LLC.

3. Reporting Channel

Vulnerability reports should be sent to security@revhivehealth.com. To help us validate and remediate the issue as quickly as possible, please include the following in your report:

  • A clear description of the vulnerability, including the affected URL, endpoint, or component.
  • Step-by-step instructions to reproduce the issue, including any requests, payloads, or proof-of-concept code.
  • Your assessment of the potential impact, including the type of data or functionality that could be exposed or affected.
  • Your name and contact information so that we can follow up. You may also indicate how you would like to be credited (see Section 4).
  • Optionally, a PGP public key if you would prefer to exchange encrypted communications during the disclosure process.

We will acknowledge receipt of every valid report within five (5) business days of receiving it and will provide a written status update at least every fourteen (14) days until the vulnerability is resolved or the report is closed.

4. Responsible Disclosure

We ask that researchers refrain from publicly disclosing the details of a vulnerability for at least ninety (90) days from the date of the initial report, or until the vulnerability has been patched and we have confirmed the fix in writing, whichever is earlier. We will work with the reporter in good faith to coordinate the timing of any public disclosure, including extensions where remediation requires additional time and earlier disclosure where the issue is already known to be under active exploitation.

Where the reporter wishes to be credited, RevHive will publicly acknowledge the researcher's contribution once the vulnerability has been remediated. Credit is offered with the researcher's permission; researchers who prefer to remain anonymous may request that no credit be given.

5. PHI Handling Requirements

Because RevHive handles Protected Health Information on behalf of clinic customers, special handling rules apply to any testing activity that could touch real patient data. These rules are not optional.

  • Researchers must not use real patient data, real patient names, real patient phone numbers, real patient email addresses, or any real medical, billing, or insurance information at any stage of testing.
  • Use synthetic data, your own test accounts, or data you have personally generated for the purpose of the test. Where a vulnerability cannot reasonably be demonstrated without touching production data, contact us at security@revhivehealth.com first to coordinate access to a sandbox environment or a supervised test plan.
  • Accessing, modifying, downloading, copying, exfiltrating, or storing actual PHI is grounds for immediate termination of safe harbor under this policy and may result in civil and/or criminal action under HIPAA, federal and state computer-misuse statutes, and applicable common law.
  • If you accidentally encounter real PHI during testing, stop immediately, do not view or download further data, do not share what you have seen with any third party, and notify us at the address above so that we can confirm the scope of the exposure and provide instructions for secure destruction of any incidentally captured material.

6. Prohibited Activities

The following activities are not authorized by this policy and fall outside the scope of safe harbor:

  • Denial-of-service testing, stress testing, or any form of load testing intended to degrade availability of the Service for other users.
  • Social engineering of RevHive staff, contractors, clinic users, patients, or any third party, including phishing, pretexting, vishing, smishing, or in-person impersonation.
  • Attempts to gain physical access to RevHive offices, facilities, employee devices, or any equipment associated with the Service.
  • Automated scanning or brute-force testing that generates significant traffic volumes without prior written coordination with the security team. Lightly rate-limited manual or semi-automated testing is acceptable; high-volume scanning is not.
  • Testing against third-party services listed as out of scope in Section 2.
  • Accessing data belonging to other clinics, other clinic users, or other patients beyond the minimum demonstration required to prove the existence of the vulnerability. If a single cross-tenant read demonstrates the issue, do not iterate.
  • Any conduct that would violate applicable law, regulation, or third-party rights independent of this policy, including interception of communications you are not party to and unauthorized access to a computer system.

7. Safe Harbor

Researchers who act in good faith and within the limits of this policy will not be subject to legal action by RevHive Health LLC under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or analogous state computer-misuse statutes. We will not pursue civil action against, and will not notify law enforcement of, accidental policy violations that are promptly reported to us and remediated in cooperation with our security team.

Safe harbor under this policy does not extend to:

  • Violations of the PHI Handling Requirements set out in Section 5, including any access to, modification of, download of, or storage of actual Protected Health Information.
  • Violations of the Prohibited Activities set out in Section 6.
  • Any access to PHI beyond the minimum reasonably required to demonstrate the vulnerability to RevHive.

Until this policy has been ratified by counsel, researchers seeking firm safe-harbor commitments should contact security@revhivehealth.com to confirm the terms applicable to their specific testing activities before proceeding.

8. Out-of-Scope Findings

The following classes of findings are common low-impact reports that we will not credit or further investigate absent a concrete, demonstrated exploit. Reporters are welcome to submit them, but should expect that we will close the report without further action:

  • Missing security headers (e.g., Content-Security-Policy, X-Frame-Options, Strict-Transport-Security) without a demonstrated exploit.
  • SPF, DKIM, or DMARC misconfiguration on subdomains that do not send email.
  • Absence of rate limiting on unauthenticated endpoints that do not expose sensitive data or expensive operations.
  • Vulnerabilities in third-party libraries that we do not directly use, or that are not reachable from any code path exposed to users.
  • Descriptive error messages that do not reveal sensitive information or facilitate further exploitation.
  • Clickjacking on pages that do not host sensitive actions or authenticated state-changing operations.
  • Self-XSS, including reports that require the victim to paste attacker-supplied content into their own browser console or address bar.
  • Missing CAPTCHA on forms that do not handle authentication or sensitive submissions.
  • Tabnabbing or reverse-tabnabbing on links that do not lead to authenticated or sensitive destinations.

9. Contact

Vulnerability reports and security-related inquiries should be sent to security@revhivehealth.com.

For non-security inquiries, please see our Privacy Policy or Terms of Service.

Last updated: May 26, 2026 • Contact: security@revhivehealth.com