Responsible Disclosure Policy

How to Report

Please email your findings to security@thepeernetwork.com. To help us triage and respond effectively, include the following in your report:

• A description of the vulnerability and where it was found
• Steps to reproduce the issue
• The potential impact, if known
• Any relevant screenshots, logs, or proof-of-concept code

Our Commitments to You

• We will acknowledge receipt of your report within 3 business days.
• We will work to validate and resolve confirmed vulnerabilities, with a target resolution time of 10 business days for critical issues.
• We will keep you informed of our progress throughout the remediation process.
• We will not pursue legal action against researchers who act in good faith in accordance with this policy.

Guidelines for Responsible Research

• Make a good faith effort to avoid privacy violations, data destruction, or disruption to our services.
• Only interact with accounts you own or for which you have explicit written permission from the account holder.
• Do not access, download, or modify any user data.
• Allow us reasonable time to address the issue before any public or third-party disclosure.
• Do not exploit a vulnerability beyond what is necessary to demonstrate it.

Scope

This policy applies to The Peer Network application and any associated subdomains or services.

The following are out of scope:

• Our public marketing website, which contains no sensitive data
• Denial-of-service or volumetric attacks
• Social engineering or phishing attacks targeting TPN staff
• Theoretical vulnerabilities without a working proof of concept
• Issues already known to our team

A Note on HIPAA

Because our platform handles Protected Health Information, we take an especially cautious approach to security research. If you encounter any data that appears to be personal health information belonging to a real user, please immediately cease testing and contact us at security@thepeernetwork.com.