Vulnerability Disclosure Program

Eleos welcomes contributions from responsible security researchers (you hereafter) as part of its vulnerability disclosure program (VDP). Thus, in response to your good-faith participation in the VDP, we will:

  • Not initiate legal actions against you

  • If a third party initiates legal action against you as a result of your participation in the VDP, inform such a third party of your good-faith compliance with it.

To be eligible, you must:

  • Submit reports about potential vulnerabilities via email to security@eleos.health with VDP in the subject line.

  • Describe the vulnerability, where it was discovered, and the impact to data confidentiality, integrity, or availability. This includes artificial intelligence (AI) systems where the outputs are offensive, unethical, illegal, or have otherwise adverse impacts.

  • Give a detailed description of the steps needed to reproduce the vulnerability, including either a step-by-step written narrative, a video recording, or both.

  • Agree to keep confidential any information (with the exception of Authorized Public Communications, described below) obtained while participating in the VDP.

To be eligible, you must NOT:

  • Demand compensation or insinuate that it is owed.

  • Provide (or threaten to provide) any information obtained while participating in the VDP to any third party not under any contractual or otherwise legally binding duty of confidentiality to you or your organization. The only exception to this is the Authorized Public Communications.

  • Access more data than required to confirm the vulnerability.

  • Modify or destroy any data encountered

  • Perform social engineering, physical penetration testing, or denial of service attacks on Eleos personnel, locations, or assets.

  • Submit vulnerability reports from automated scanning tools without evidence of exploitability.

If you comply with these requirements, Eleos will:

  • Work with you in good faith.

  • Acknowledge receipt of your report within 72 hours.

  • Advise whether Eleos has accepted the report, and, if so, when the vulnerability is resolved.

  • If desired, recognize you via the Eleos web site (“Authorized Public Communications), including the following information (if applicable):

    1. Your name or handle
    2. Your organization
    3. General description of the vulnerability
    4. Common vulnerabilities and exposures (CVE) identifier


After the Authorized Public Communications, authorize and provide a revocable, royalty-free license for you to post exploit code for the specific vulnerability remediated in a public forum of your choice, provided that posting such code does not violate any third-party rights.

Intellectual property and other requirements

Eleos authorizes any party to reuse or adapt the text of this VDP, provided such party cites Eleos as the source and provides a hyperlink to https://vdp.eleos.health. Aside from naming Eleos as the source of the original VDP text, however, such a party may not imply Eleos endorsement or use the Eleos logo.

Participating in the VDP does not grant you, or any other third party, any additional rights to Eleos intellectual property, products, or services. All rights not otherwise granted within this policy are expressly reserved by Eleos. By submitting a vulnerability for consideration, you hereby assign to Eleos all rights, title, and interest, including all intellectual property rights, for all vulnerability reports submitted. You further represent that you have the right to assign all such rights, titles, and interests to Eleos for the submissions, and that your participation in the Eleos VDP does not violate any agreement you may have with any other third party, such as your employer.