Vulnerability Disclosure Policy

We take the security of patient health data seriously. If you've found a vulnerability, we want to hear from you.

Safe harbor.

We will not pursue legal action against security researchers who act in good faith under this policy. Good faith means: you make a genuine effort to avoid privacy violations, data destruction, and service disruption.

If you follow these guidelines, we consider your research authorized. We will work with you to understand and resolve the issue quickly.

Scope.

The following are in scope:

• inou.com — the production portal
• inou.com/api/* — the REST API
• inou.com/mcp — the MCP endpoint

The following are out of scope:

• Social engineering of staff or users
• Denial of service attacks
• Physical attacks against infrastructure
• Third-party services we integrate with
• Automated scanning that degrades service availability

Rules of engagement.

• Do not access, modify, or delete another person's health data.
• Do not degrade service availability.
• Stop and report immediately if you encounter patient data.
• Give us reasonable time to fix issues before any public disclosure.
• Use the minimum access necessary to demonstrate the vulnerability.

How to report.

Email security@inou.com. For sensitive reports, encrypt your message with our PGP key.

Include:

• Description of the vulnerability and its potential impact
• Steps to reproduce
• Any proof-of-concept code or screenshots

What we commit to.

• Acknowledge your report within 48 hours.
• Provide a meaningful assessment within 7 days.
• Keep you informed as we work on a fix.
• Credit you publicly on our acknowledgments page — unless you prefer to remain anonymous.

We don't run a paid bounty program. We offer our thanks, public credit, and the knowledge that you helped protect real patients' health data.