Business
Employers
Solutions that deliver for you and your employees.
Health Plans
Smarter health plans choose Sword.
Individuals
Solutions
Thrive
Best-in-class digital physical therapy from the comfort of home.
Academy
The highest quality physical health education and resources.
On-Call
Access to on-demand clinical pain specialists.
Bloom
The next generation of women's pelvic health care.
Move
Movement Health for the modern workforce.
Predict
Built to predict and avoid costs of unnecessary surgeries.
Atlas
Global access to pain-fighting exercises and education.
Learn
Newsroom
Find company updates, product announcements and other news.
Resources
Explore our clinical studies, webinars and publications.
Frequently Asked Questions
Have questions? We've got answers.
Company
About
Learn about the who, the why, and the what we do at Sword.
Health Equity
Building a diverse and equitable future for everyone.
Careers
Find openings and opportunities to join us on our mission.
Enroll
Request demo

Reporting Vulnerabilities in Security or Privacy

Help us enhance the security and privacy of our products by reporting any vulnerabilities you discover.

Introduction

We at Sword Health value the security of our systems and data, and we understand the importance of the community in helping us maintain a high standard of safety. If you have discovered a security vulnerability within our systems, we appreciate your help in disclosing it to us in a responsible manner.

This page outlines our responsible disclosure policy and provides guidelines on how to report any security vulnerabilities you may come across.

Reporting a Vulnerability

If you have identified a potential security issue, we kindly request that you:

  1. Email us at securityreports@swordhealth.com with the details of the vulnerability. Please use the following format for your report:
    • Title: A brief, concise summary of the issue.
    • Details: A detailed description of the vulnerability. Include the steps to reproduce the issue, as well as any potential impacts. The more detail you can provide, the better.
    • Environment: Information about where and when you discovered the issue. Include the system, software versions, configurations, and any other relevant details.
    • Proof of Concept: If possible, provide a proof of concept. This could be in the form of a code snippet, a screenshot, or a video demonstrating the vulnerability.
  2. Do not disclose the issue to others until we've had a chance to address it. This is to ensure that the issue does not become widely known before a fix is in place, potentially causing harm to our users or systems.
  3. Do not engage in activities that could potentially harm the usability of our services or the privacy of our users. This includes, but is not limited to, accessing, downloading, altering, or deleting data.

Scope of the program

We appreciate the time and effort put in by security researchers when investigating and reporting vulnerabilities. For effective collaboration, we have defined what is in-scope and out of scope for our Responsible Disclosure Policy.

In-Scope: All websites, API endpoints and any other web resources under swordhealth.com, hibloom.com or any of their subdomains. We appreciate reports on any vulnerabilities that could potentially harm the integrity, availability, or confidentiality of our systems or data.

Out-of-Scope: The following are considered out of scope for our program:

  • Third-party websites or services that we link to
  • Issues related to software or protocols not under our control
  • Any physical attempts against our property or data centers
  • Social engineering attacks (e.g., phishing, vishing)
  • Denial of Service (DoS) attacks
  • Spam or issues related to email deliverability
  • Vulnerabilities affecting users of outdated or unpatched browsers and platforms

This is not an exhaustive list. If you are unsure whether something is in-scope or out-of-scope, please contact us at securityreports@swordhealth.com. We reserve the right to alter the scope of our program and to make exceptions to these guidelines on a case-by-case basis. We ask that you respect these guidelines, and thank you for your help in keeping Sword Health safe and secure.

Our Commitment

Once we receive your report, we commit to:

  • Acknowledging receipt of your report within three business days.
  • Investigating the issue and working to understand its impact and severity.
  • Keeping you informed about our progress in resolving the issue.
  • Addressing the issue in a timely manner, and if necessary, informing relevant parties and the public about the issue and our response.

Recognition

While we do not offer a monetary reward for vulnerability disclosures, we understand and appreciate the effort that goes into security research. As a token of our gratitude, we would be happy to include your name in our "Hall of Fame" on our website. This is entirely optional and at your discretion.

Conclusion

We thank you for your assistance in helping us maintain the safety and integrity of our systems. Your commitment to responsible disclosure reflects the strength and value of the security community, and we appreciate your effort and dedication. Please note that this policy is subject to change without prior notice. It's recommended to check back often for updates.

Thank you for helping us make Sword Health safer for everyone. Make sure that you include the information covered above. If your report doesn't include enough information to allow us to reproduce the issue, we may not be able to accept your report.

© 2024 Sword Health, Inc. All Rights Reserved

Business
EmployersHealth PlansRequest Demo
Individuals
IndividualsEnroll
Learn
NewsroomResourcesPatentsFAQs
Solutions
ThriveAcademyOn-CallBloomMovePredictAtlas
Company
AboutHealth EquityCareers
Portugal 2020Norte 2020European UnionPlano de Recuperação e ResiliênciaRepública PortuguesaNext Generation EU
Project_20812
Project_23655
Project_37596
Project_46516
Project_49222
Project_QRAC
Project_PRR62
Terms and ConditionsConsent to Telehealth ServicesHIPAA Notice of Privacy PracticesPrivacy StatementNon-DiscriminationResponsible DisclosureSitemap