To report a potential security issue or vulnerability please let us know by referring to our security.txt file or follow these steps:
Tempus Labs, Inc. (“Tempus”) takes its responsibility to protect customer and patient data seriously and we welcome feedback from security researchers and the general public to help improve our security posture. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other potential security issues in and around any of our assets, we want to hear from you. This policy describes:
We reserve the right to update this policy at any time, so please review the policy periodically.
In accordance with this policy, you can expect us to:
In participating in our vulnerability disclosure program, you are required to:
At this time, the following services and applications are in-scope:
See above for how to report an in-scope vulnerability (Reporting a Vulnerability).
Any service or application not expressly listed as “In Scope” above is excluded from this policy is not authorized for testing. In addition, the following activities are also excluded from this policy and are not authorized for testing:
Though we develop and maintain other internet-accessible systems or services, we require that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a system not in scope that you think merits testing, please contact us to discuss it first. Additionally, vulnerabilities found in our service providers’ systems fall outside of this policy’s scope and should be reported directly to the service provider according to their disclosure policy (if any).
Tempus is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action may increase risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.
If you comply with this policy during your security research and do not compromise the security of our systems, or the safety or privacy of our users, we will work with you to understand and resolve the issue quickly, and will not initiate or recommend legal action related to your research. Understand that we cannot control third party claims related to your activities.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us at firstname.lastname@example.org before proceeding any further.
This is the future of healthcare.