Responsible Disclosure Policy

Collective Health values the important role that independent security researchers play in internet security. We encourage the responsible reporting to us of vulnerabilities found in our websites or applications. We are committed to working with independent security researchers to verify and to address reported potential vulnerabilities.

Please review the following details before you test and report a vulnerability.

Reporting a potential security vulnerability

  • Please promptly share details of the suspected vulnerability with the Collective Health Security team by emailing
  • Provide the time, date, operating system, platform and browser used, and other details sufficient to enable us to reproduce the vulnerability by using a tool similar to ReproNow. This will help us gather appropriate information and expedite a response
  • Please do not disclose the issue to the public or to any third party until Collective Health has had a reasonable opportunity to assess, confirm and resolve the vulnerability you reported.
  • Collective Health will attempt to review and respond to your report as soon as we can.

Activities that are not permitted

  • Please do not abuse any email addresses in the @collectivehealth domain. In addition, do not abuse any ‘Contact Us’ forms, especially those that will initiate an email being sent
  • Please do not test physical office access (doors, tailgating, windows).
  • Please do not engage in social engineering or phishing of Collective Health employees
  • Please do not threaten or take actions to harm Collective Health directors, officers, employees, customers, or members or engage in unprofessional conduct, such as aggressive language, extortion or harassment.
  • Please do not perform any disruptive testing such as load or performance testing including Denial of Service attacks, or take other actions that interfere with the confidentiality, integrity, availability or operation of our sites, information, or applications. If you notice performance degradation on target systems, please stop use of automated tools.
  • Please do not alter the content of Collective Health’s websites, applications, or social media accounts.
  • Please do not alter privileges or login credentials.

If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required to confirm the vulnerability and then cease testing and submit a report immediately.

Thank you for helping us keep Collective Health and our users safe!