Coordinated Vulnerability Disclosure Policy
Welcome to Freenome’s Coordinated Vulnerability Disclosure Page
At Freenome, we consider the security of our systems a top priority. No matter how much effort we put into system security, there can still be vulnerabilities present. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.Reporting a Vulnerability
We encourage the responsible disclosure of any vulnerabilities and welcome reports from security researchers, industry partners, and academia. The scope of software that is reportable is our diagnostics software. For issues with our public website, please email website-inbox@freenome.com. To report a security vulnerability, please use the following guidelines.How to Report
- Contact: Please send your findings to productsecurity@freenome.com. To ensure the confidentiality of this sensitive information, please reach out to us to identify a secure solution for sharing this critical information.
- Information to include: Provide as much information as possible about the vulnerability
- Product name, URL, or affected version information
- The type of vulnerability (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- A description of the vulnerability and how it can be reproduced
- The potential impact of the vulnerability
- Any steps, tools, code, or scripts to reproduce the vulnerability
- Reporter’s contact information
- Time and date of discovery
What to Expect
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 3 business days.
- Communication: We will keep you informed of the progress towards a fix and full announcement, and we may contact you for additional information about the vulnerability.
- Confidentiality: Please keep your findings confidential between us until a fix has been developed and deployed. We will coordinate with you to determine the best time to make the vulnerability known to the public.
Our Commitment
Upon receiving a vulnerability report, Freenome commits to the following:- Promptly acknowledging receipt of your report
- Providing an estimated timeline for addressing the vulnerability
- Notifying you when the vulnerability is fixed
- As Freenome’s diagnostics software is provided as a service, no external distribution of the software is needed