Responsible disclosure policy
If you would like to report a potential vulnerability or security concern, please send an email to email@example.com. Please provide your name and contact information with each report. As reports may impact Protected Health Information (PHI) or other confidential data, all reports should be encrypted. Our PGP public key can be found here. So that we may effectively review and respond to your report, please provide details of the potential vulnerability or security concern. Make sure to include steps necessary to reproduce the issue, including any relevant logs and files (e.g., screenshots). Do not destroy or modify data or attempt to interrupt or degrade our services. Your report will be reviewed by Press Ganey and we will contact you if we need more information.
In order to protect our clients, we request that you do not post or share any information about a potential vulnerability or security concern until we have analyzed, responded to, and addressed the reported vulnerability or security concern and informed clients, if needed. We also request that you do not post or share any data belonging to Press Ganey or our clients. Addressing a security vulnerability can take time depending on the severity of the vulnerability and the affected systems. We are committed to being responsive and keeping you informed of our progress as we investigate and mitigate your reported concern.