Vulnerabilty Disclosure Policy

Reporting a Vulnerability

To report a potential security issue or vulnerability please let us know by referring to our security.txt file or follow these steps:

  1. A detailed description of the steps required to reproduce or validate the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
  2. Encrypt the email contents using our GPG key.
  3. Email the encrypted contents to security@tempus.com and provide your preferred method of return communication.
  4. Allow up to 5 business days for confirmation of the reported issue.

Tempus Labs, Inc. (“Tempus”) takes its responsibility to protect customer and patient data seriously and we welcome feedback from security researchers and the general public to help improve our security posture. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other potential security issues in and around any of our assets, we want to hear from you. This policy describes:

  • what systems and types of research are covered;
  • rules of engagement;
  • how to send us vulnerability reports; and
  • how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We reserve the right to update this policy at any time, so please review the policy periodically.

In accordance with this policy, you can expect us to:

  • Respond to your report promptly, and work with you to understand and validate your report;
  • Strive to keep you informed about the progress of a vulnerability as it is processed;
  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
  • Extend safe harbor for your vulnerability research that is related to your report and this policy (see the Authorization Section for more information)

In participating in our vulnerability disclosure program, you are required to:

  • Play by the rules, including following this policy and any other relevant agreements;
  • Promptly report any vulnerability you have discovered;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope (see the Out-of-Scope section below);
  • Keep confidential details of any information about discovered vulnerabilities, except as described in the Disclosure section below.
  • Do not exploit identified vulnerabilities in a manner that risks the confidentiality, integrity, and/or availability of any resources not explicitly owned by you during testing processes.
  • Do not use your findings to phish, spam, social engineer, or otherwise defraud any customers or Tempus employees while testing to gain more access.
  • Do not try to physically access Tempus properties, attempt to social engineer employees, or otherwise try to discover risk beyond digital means against Tempus.
  • Do not perform denial of services (DoS) or distributed denial of service (DDoS) attacks against any Tempus resource to prove an impact for a suspected security issue.
  • If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept and cease testing and submit a report immediately if you encounter any user data during testing (e.g. Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information).

At this time, the following services and applications are in-scope:

  • The tempus.com website and infrastructure.
  • Any public (Internet-facing) infrastructure owned and operated by Tempus.
  • Any public cloud (e.g. Amazon AWS, Google GCP) resource or infrastructure operated and managed by Tempus
    • Public cloud storage accounts. (e.g. AWS S3 buckets, GCP Cloud Storage buckets)
    • Public cloud compute servers. (e.g. AWS EC2 instances, GCP Compute Engine, GCP Kubernetes)
  • Anything with significant impact across our entire security posture or infrastructure.

See above for how to report an in-scope vulnerability (Reporting a Vulnerability).

Any service or application not expressly listed as “In Scope” above is excluded from this policy is not authorized for testing. In addition, the following activities are also excluded from this policy and are not authorized for testing:

  • Attacks designed or likely to degrade, deny, or adversely impact services or user experience (e.g., Denial of Service, Distributed Denial of Service, Brute Force, Password Spraying, Spam…).
  • Attacks designed or likely to destroy, corrupt, make unreadable (or attempts therein) data or information that does not belong to you.
  • Attacks designed or likely to validate stolen credentials, credential reuse, account takeover (ATO), hijacking, or other credential-based techniques.
  • Intentionally accessing data or information that does not belong to you beyond the minimum viable access necessary to demonstrate the vulnerability.
  • Performing physical, social engineering, or electronic attacks against Tempus personnel, offices, wireless networks, or property.
  • Security issues in third-party applications, services, or dependencies that integrate with Tempus products or infrastructure that do not have a demonstrable proof of concept for the vulnerability (e.g., libraries, SaaS services).
  • Security issues or vulnerabilities created or introduced by the reporter (e.g., modifying a library we rely on to include a vulnerability for the sole purpose of receiving a reward).
  • Attacks performed on any systems not explicitly mentioned as authorized and in-scope.
  • Reports generated from automated vulnerability assessment tools.
  • Reports of missing “best practices” or other guidelines which do not indicate a security issue.
  • Attacks related to email servers, email protocols, email security (e.g., SPF, DMARC, DKIM), or email spam.
  • Missing cookie flags on non-sensitive cookies.
  • Reports of insecure SSL/TLS ciphers (unless accompanied with working proof of concept).
  • Reports of simple IP or port scanning.
  • Missing HTTP headers (e.g. lack of HSTS).
  • Email security best practices or controls (e.g. SPF, DKIM, DMARC).
  • Software or infrastructure bannering, fingerprinting, or reconnaissance with no proven vulnerability.
  • Clickjacking or self-XSS reports.
  • Reports of publicly resolvable or accessible DNS records for internal hosts or infrastructure.
  • Reports of user-provided remote code execution in sandboxed environments (e.g., Product Features).
  • Domain-based phishing, typosquatting, punycodes, bitflips, or other techniques.
  • Violating any laws or breaching any agreements (or any reports of the same).
  • Publicly-disclosed vulnerabilities which have already been reported to Tempus or are already known to the wider security community.
  • Reports of security issues already known and tracked by the Tempus information security team.

Though we develop and maintain other internet-accessible systems or services, we require that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a system not in scope that you think merits testing, please contact us to discuss it first. Additionally, vulnerabilities found in our service providers’ systems fall outside of this policy’s scope and should be reported directly to the service provider according to their disclosure policy (if any).

Tempus is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action may increase risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.

If you comply with this policy during your security research and do not compromise the security of our systems, or the safety or privacy of our users, we will work with you to understand and resolve the issue quickly, and will not initiate or recommend legal action related to your research.  Understand that we cannot control third party claims related to your activities.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us at security@tempus.com before proceeding any further.

This is data-driven precision medicine

This is the future of healthcare.

CONTACT TEMPUS