Responsible Vulnerability Disclosure Policy
This information is intended for security researchers who are interested in reporting vulnerabilities to Phreesia’s security team. For all other issues and inquiries, including sales and client support questions, please visit our Contact Us page.
If you think you have identified a vulnerability on Phreesia’s platform, we ask that you contact us securely at security@phreesia.com as soon as possible and refrain from disclosing the issue until we address it.
Responsible Disclosure Guidelines
We require that all security researchers:
- Use Phreesia’s secure channel to notify us of the vulnerability and provide us with any details, including URLs, screenshots and/or other relevant information.
- Give Phreesia 30 days to review the submitted issue and respond to your notification. Once we determine an issue is valid, we will notify you with next steps, including public disclosure timelines.
- Make every effort to maintain the integrity of Phreesia’s data and avoid privacy violations, service disruptions, degradation of user experience and destruction of data during testing.
- Not request compensation from Phreesia or external marketplaces. If you follow these guidelines when reporting a vulnerability to us, we will not pursue or support any legal action related to your research.
The following vulnerability categories are of greatest interest to us and should be considered within the acceptable scope for security researchers:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- SQL Injection (SQLi)
- Authentication-related issues
- Authorization-related issues
- Data Exposure
- Redirection Attacks
- Remote Code Execution
ONLINE
OFFLINE