Legal
Vulnerability Disclosure Policy
Last updated: July 2026
We appreciate the work of security researchers who help keep RHM Digital safe. This policy describes how to report a suspected vulnerability and what you can expect from us in return.
1. How to report
Send a report to info@rhmdigital.com with a clear description of the vulnerability, the steps to reproduce it, and any proof-of-concept material needed to understand its impact.
2. What we ask of you
- Give us a reasonable amount of time to investigate and remediate before disclosing the issue publicly
- Avoid accessing, modifying, or deleting data that does not belong to you
- Do not run automated scanning tools that could degrade service for other customers
- Do not attempt social engineering, phishing, or physical attacks against our staff or offices
- Act in good faith and avoid privacy violations or service disruption
3. What you can expect from us
- An acknowledgment of your report within 5 business days
- An assessment of severity and, where applicable, an estimated remediation timeline
- Credit for your discovery, if you would like it and once the issue is resolved
- No legal action against researchers who follow this policy in good faith
4. Scope
This policy covers the RHM Digital web application and API. It does not cover third-party services we integrate with (such as our AI model providers, authentication provider, or payment provider), which should be reported directly to those vendors.
