Reporting Security Issues

RubyWell takes security seriously. If you discover a security vulnerability in our platform, please report it to us responsibly or learn more.

Report a Vulnerability

How to report

Choose your preferred contact method to submit your security findings.

Primary Contact

Email: techaccount@rubywell.com
Subject Line: "[Security] Vulnerability Report"

Alternative Contact:

Web Form: https://rubywell.com/security/report

What to Include in Your Report

Please provide as much information as possible to help us understand and address the issue:

Description - Clear explanation of the vulnerability
Steps to Reproduce - Detailed steps to reproduce the issue
Potential Impact - Your assessment of the severity and potential consequences
Proof of Concept - Any code or screenshots demonstrating the vulnerability
Affected Components - Which parts of the platform are affected
Your Contact Information - So we can follow up with you

What to Expect

Initial Response

We will acknowledge receipt of your report within 48 hours

Regular Updates

Status updates will be provided at least every 7 days during the resolution process.

Recognition

Security researchers who follow our responsible disclosure policy will be credited in our Hall of Fame (if desired). We may offer rewards for significant findings (at our discretion)

Resolution Timeline

Critical

1-7 days

High

7-14 days

Medium

14-30 days

Low

30-90 days

Safe Harbor

We commit to not pursuing legal action against security researchers who:

Follow responsible disclosure practices
Act in good faith to help improve our security
Do not access, modify, or delete user data
Do not degrade service availability
Make good faith efforts to avoid privacy violations and disruptions to others
Provide us a reasonable time to fix issues before public disclosure

Scope

In Scope

Security testing is permitted on:

✅ Admin Portal: admin.rubywell.com
✅ Client Application: app.rubywell.com
✅ API Endpoints: api.rubywell.com
✅ Mobile Applications: RubyWell iOS and Android apps

Out of Scope

Please do not test:

❌ Third-party services and integrations
❌ Social engineering attacks (phishing, vishing, etc.)
❌ Physical security attacks
❌ Denial of Service (DoS/DDoS) attacks
❌ Spam or automated testing that degrades service
❌ Issues requiring physical access to RubyWell facilities

Prohibited Activities

The following activities are strictly prohibited:

Testing on production systems without explicit authorization
Accessing or modifying data that doesn't belong to you
Executing attacks that could harm service availability
Violating any laws or breaching any agreements

Rewards & Recognition

Hall of Fame

We recognize security researchers who help us improve our security posture in our Security Acknowledgments page.

Potential Rewards

While we operate on a case-by-case basis, significant and novel findings may be eligible for:

Monetary rewards (based on severity and impact)
Public recognition (with your permission)
Swag and merchandise
References for future security work

Legal

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in a manner that is inconsistent with the law, or which might cause RubyWell to be in breach of any legal obligations.

Questions?

If you have questions about this policy, please contact: techaccount@rubywell.com