Skip to main content

Our Guide to Security Reports

· 3 min read
Cody Ebberson
Medplum Core Team

As a founder, you wear a lot of hats. One of mine is handling the security reports that land in our inbox.

Thanks to a strong security posture, including regular third-party pen tests, genuine vulnerability reports are rare. However, like any online business, we see a steady stream of security inquiries. These tend to fall into two distinct camps: the valuable, good-faith reports from legitimate researchers... and the noise.

The "noise" is what security expert Troy Hunt perfectly named "Beg Bounties." These are the low-effort, templated emails fishing for a payout for a non-issue.

We decided early on to be direct, transparent, and respectful of everyone's time—ours and the researcher's. So, when someone emails us about a potential vulnerability, here's the kind of response they can expect from us:

Subject: Re: Inquiry Regarding Security Issue

Thanks for your interest in the security of the Medplum platform. We take all potential vulnerabilities seriously.

Our process is to first receive the full details of the potential issue, including steps to reproduce it. Once received, our team will validate the report.

To set clear expectations, we absolutely offer fair compensation for novel, verifiable vulnerabilities with a demonstrable security impact.

We do not, however, provide compensation for common out-of-scope reports, including:

  • Suboptimal HTTP security header configurations
  • Missing best practices on DNS records (SPF/DKIM/DMARC)
  • Scanner output without a proven, practical exploit

This approach allows us to focus on genuine, impactful security research. We look forward to receiving the details of your finding.

Best regards,

The Medplum Team

That's it. It's a simple, firm, and fair template. Here's why it works for us:

  1. It puts process first. The conversation about money is on hold until we see a real vulnerability.
  2. It filters out the noise. It clearly states what we don't pay for, saving everyone a lot of back-and-forth.
  3. It encourages real research. It confirms we do pay for legitimate findings with a real-world impact.

This email is our day-to-day tactic, but it's based on our official strategy, which is documented for anyone to see in our Responsible Disclosure Policy on GitHub. It goes into more detail and includes a Safe Harbor clause to assure good-faith researchers they're protected.

The bottom line is simple: We take security seriously, and we take real security researchers seriously. If you have a legitimate, high-impact vulnerability, we genuinely want to hear from you and will be happy to compensate you for your work.