Responsible Disclosure Policy

RESPONSIBLE DISCLOSURE POLICY

Press Ganey is committed to protecting the privacy and security of data we receive, and our team of security professionals works diligently with our partners to help keep this information secure. We also understand the helpful role our users can play in our security program, and we request that our users notify us of any potential vulnerabilities or security concerns identified while using our websites and web applications in compliance with our Terms of Use and Privacy Policy. We will review every report and strive to ensure that appropriate steps are taken to remediate legitimate reported vulnerabilities.

If you would like to report a potential vulnerability or security concern, please send an email to security@pressganey.com. Please provide your name and contact information with each report. As reports may impact Protected Health Information (PHI) or other confidential data, all reports should be encrypted. Our PGP public key can be found here. So that we may effectively review and respond to your report, please provide details of the potential vulnerability or security concern. Make sure to include steps necessary to reproduce the issue, including any relevant logs and files (e.g., screenshots). Do not destroy or modify data or attempt to interrupt or degrade our services. Your report will be reviewed by Press Ganey and we will contact you if we need more information.

In order to protect our clients, we request that you do not post or share any information about a potential vulnerability or security concern until we have analyzed, responded to, and addressed the reported vulnerability or security concern and informed clients, if needed. We also request that you do not post or share any data belonging to Press Ganey or our clients. Addressing a security vulnerability can take time depending on the severity of the vulnerability and the affected systems. We are committed to being responsive and keeping you informed of our progress as we investigate and mitigate your reported concern.