Coordinated Vulnerability Disclosure Policy

Welcome to Freenome’s Coordinated Vulnerability Disclosure Page

At Freenome, we consider the security of our systems a top priority. No matter how much effort we put into system security, there can still be vulnerabilities present. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

Reporting a Vulnerability

We encourage the responsible disclosure of any vulnerabilities and welcome reports from security researchers, industry partners, and academia. The scope of software that is reportable is our diagnostics software. For issues with our public website, please email website-inbox@freenome.com. To report a security vulnerability, please use the following guidelines.

How to Report

  • Contact: Please send your findings to productsecurity@freenome.com. To ensure the confidentiality of this sensitive information, please reach out to us to identify a secure solution for sharing this critical information.
  • Information to include: Provide as much information as possible about the vulnerability
    • Product name, URL, or affected version information
    • The type of vulnerability (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
    • A description of the vulnerability and how it can be reproduced
    • The potential impact of the vulnerability
    • Any steps, tools, code, or scripts to reproduce the vulnerability
    • Reporter’s contact information
    • Time and date of discovery

What to Expect

  • Acknowledgment: We will acknowledge receipt of your vulnerability report within 3 business days.
  • Communication: We will keep you informed of the progress towards a fix and full announcement, and we may contact you for additional information about the vulnerability.
  • Confidentiality: Please keep your findings confidential between us until a fix has been developed and deployed. We will coordinate with you to determine the best time to make the vulnerability known to the public.

Our Commitment

Upon receiving a vulnerability report, Freenome commits to the following:
  • Promptly acknowledging receipt of your report
  • Providing an estimated timeline for addressing the vulnerability
  • Notifying you when the vulnerability is fixed
  • As Freenome’s diagnostics software is provided as a service, no external distribution of the software is needed

Recognition

While we do not have a formal bug bounty program, we recognize the effort and contribution of security researchers. We are happy to provide acknowledgments on our website (https://www.freenome.com/product-security) to those who responsibly disclose vulnerabilities to us, provided they do not disclose the vulnerability prior to our fix.

Legal Notice

This policy is intended to encourage the responsible disclosure of vulnerabilities and not to give permission to act in any manner that is inconsistent with the law or to conduct penetration testing on Freenome systems without explicit permission. Thank you for helping to keep Freenome and our users safe.