Responsible Disclosure Policy

Artificer Health, Inc. Last Updated: April 2, 2026

Artificer Health values the work of security researchers who help us protect our platform and our customers' data. If you discover a potential security vulnerability in our systems, we ask that you disclose it to us responsibly in accordance with this policy.

How to Report

Email: security@artificerhealth.com

Please include:

• A description of the vulnerability and its potential impact
• Detailed steps to reproduce the issue
• Any proof-of-concept code or screenshots
• Your contact information for follow-up

If you need to transmit sensitive information, request our PGP public key at the email address above and we will provide it promptly.

Our Commitments

• We will acknowledge receipt of your report within 2 business days.
• We will provide an initial assessment within 5 business days.
• We will work with you to understand and validate the issue.
• We will keep you informed of our progress toward remediation.
• We will not pursue legal action against security researchers who act in good faith and comply with this policy.
• We will credit you (if desired) when we publicly address the vulnerability.
• We will coordinate with you before publicly disclosing any vulnerability you report.

Scope

The following are in scope for responsible disclosure:

• www.artificerhealth.com
• The Artificer Health Platform (app.artificerhealth.com)
• Artificer Health APIs

The following are out of scope:

• Social engineering or phishing attacks against Artificer Health employees
• Physical attacks against Artificer Health offices or infrastructure
• Denial of service (DoS/DDoS) attacks
• Automated scanning that generates excessive traffic
• Vulnerabilities in third-party services or software not under our control
• Attacks against infrastructure we do not own or operate (e.g., cloud provider infrastructure)

Researcher Guidelines

To qualify for safe harbor protections under this policy, we ask that you:

• Do not access, modify, download, or destroy customer data, patient data, or protected health information (PHI). Artificer Health processes healthcare data subject to HIPAA. Unauthorized access to PHI carries federal civil and criminal penalties independent of this policy. If you inadvertently access PHI during your research, stop immediately, do not retain or copy the data, and report the access in your disclosure.
• Do not degrade the availability or performance of our services. Avoid actions that could disrupt patient care workflows or prior authorization processing.
• Do not exploit a vulnerability beyond the minimum necessary to demonstrate its existence. Do not pivot, escalate, or chain vulnerabilities to access additional systems or data beyond what is needed for a proof of concept.
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate. We will work with you on coordinated disclosure timelines. If we have not responded or remediated within 90 days of your report, we will work with you on an appropriate disclosure path.
• Act in good faith and in compliance with all applicable laws.

Safe Harbor

Artificer Health considers security research conducted consistent with this policy to be:

• Authorized under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
• Exempt from the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1201, to the extent your research involves circumvention of technological measures on our systems
• Lawful and conducted in good faith

We will not initiate or support civil claims or criminal complaints against researchers who:

• Comply with this Responsible Disclosure Policy
• Act in good faith and without malicious intent
• Do not access, retain, or disclose customer data or PHI beyond what is described above
• Do not cause harm to Artificer Health, our customers, or their patients

If a third party (such as a law enforcement agency) contacts you regarding research conducted under this policy, we will take reasonable steps to make known that your actions were authorized under this policy, provided you have complied with its terms.

If you are uncertain whether your planned research complies with this policy, contact us at security@artificerhealth.com before proceeding. We are happy to discuss scope and boundaries.

Contact

Artificer Health, Inc. Security Team: security@artificerhealth.com

This policy is provided for informational purposes and does not create any contractual or other legal rights. Artificer Health reserves the right to update this policy at any time.