Responsible Disclosure

We take security and evaluation integrity seriously. If you believe you've found a vulnerability in our website, API, CLI, or evaluation pipeline — or a flaw that could compromise the fairness of published results — please tell us.

How to report

• Email security@betterhealthbench.org. For sensitive reports, request our PGP key in the first message.
• Include a clear description, reproduction steps, affected endpoints or commits, and any proof-of-concept code or screenshots.
• Do not open a public GitHub issue for security matters.

What we respond to

• Authentication, authorization, and data-exposure flaws.
• Injection, SSRF, XSS, CSRF, and other standard OWASP Top 10 classes.
• Benchmark-integrity issues: dataset leakage, score manipulation, contamination, or protocol bypasses that would invalidate published results.
• PHI exposure, even if theoretical.

Out of scope

• Social-engineering attacks against our staff, vendors, or collaborators.
• Denial-of-service, rate-limit, or volumetric-traffic testing.
• Findings from automated scanners without demonstrated impact.
• Reports about third-party services we do not operate.

Our commitment (safe harbor)

If you make a good-faith effort to comply with this policy, we will:

• Acknowledge your report within 3 business days.
• Provide a triage decision and an initial timeline within 10 business days.
• Not pursue legal action for research conducted under this policy.
• Credit you publicly (with your permission) once the issue is fixed.

Rules of engagement

• Test only against your own accounts and submissions.
• Do not access, alter, or exfiltrate other users' data, and stop immediately if you encounter PHI.
• Give us a reasonable window to fix the issue before public disclosure — 90 days is our default.

Contact

security@betterhealthbench.org