Security &
responsible disclosure.

Please email security@trialbeacon.org with a clear description of the issue, steps to reproduce, and the impact you believe it has. If the issue involves sensitive information or a working exploit, please indicate so in the subject line and we will provide a PGP key for follow-up correspondence.

We aim to acknowledge new reports within three business days and to provide a substantive response — including triage results and intended remediation timeline — within ten business days. We will keep you informed as we investigate and remediate.

The following are in scope:

• The Trial Beacon production website and its subdomains;
• The Trial Beacon application code, including its client-side matching engine and any public API endpoints;
• Any vulnerability that could result in unauthorized access to user data, leakage of patient health information beyond the user’s browser, account or session compromise, or integrity attacks on trial data presented to users.

The following are out of scope:

• Third-party services and infrastructure operated by others — including ClinicalTrials.gov, Epic / MyChart, our hosting provider, and any service we link to. Please report those issues to the operator of the affected service.
• Findings from automated tooling (scanner output) without a demonstrated impact;
• Missing low-impact security headers, lack of rate limiting on non-sensitive endpoints, descriptive error messages, and similar best-practice findings absent a concrete exploit;
• Social-engineering, physical-access, or denial-of-service attacks against Trial Beacon, our staff, or our infrastructure;
• Vulnerabilities requiring a rooted, jailbroken, or otherwise compromised device under the attacker’s own control.

When testing, you must:

• Only access, modify, or store data belonging to accounts or test patients you own or have explicit permission to use. Never access another person’s health information.
• Stop testing and report immediately if you encounter any patient health information, credentials, or other sensitive third-party data. Do not download, retain, or share it.
• Avoid degrading service for other users. Do not run automated scans at high rates, attempt denial-of-service, or cause data loss.
• Keep the details of any vulnerability confidential until we have had a reasonable opportunity to remediate, generally 90 days from your report or such other period as we mutually agree.
• Comply with all applicable laws, including those governing access to computer systems and the handling of personal information.

We will not pursue or support legal action against security researchers who, in good faith, comply with this policy. In particular, we consider activity conducted within the scope and rules above to be:

• authorized under the Computer Fraud and Abuse Act and analogous U.S. and state laws, and we will not bring a claim against you for circumventing technological measures used to protect the in-scope assets;
• authorized for purposes of the Digital Millennium Copyright Act and other anti-circumvention provisions; and
• exempt from any restriction in our Terms of Service that would otherwise prohibit security testing, but only to the extent necessary to perform research consistent with this policy.

This safe harbor applies only to civil claims that Trial Beacon itself could bring, and only to activity that complies with this policy. It does not authorize action against third parties, and it does not bind regulators or law enforcement. If a third party initiates legal action against you for activity conducted under this policy, we will take reasonable steps to make clear that your activity was authorized by us.

Trial Beacon does not currently operate a paid bug-bounty program. With your permission, we are happy to publicly acknowledge researchers whose reports lead to a fix.

Reports and questions: security@trialbeacon.org. For non-security inquiries, please use the addresses listed in our Privacy Policy and Terms of Service.