Tidepool Responsible Disclosure Policy

Last Updated: April 20, 2026

This Responsible Disclosure Policy provides information regarding how Tidepool Project (“Tidepool,” “us,” or “we”) works with security researchers to identify and responsibly disclose potential vulnerabilities.

Scope

This policy covers all of Tidepool’s software applications, such as Tidepool for web, Tidepool for mobile, and Tidepool Uploader, together with any other applications developed and or distributed by Tidepool (the “Tidepool Apps”), including the storage and retrieval of data by the Tidepool Apps on or through our hosted cloud platform (the “Tidepool Platform”), Tidepool’s source code, and Tidepool’s other systems or network security.

Certain activities and vulnerabilities are outside of this policy’s scope; these include without limitation:

  • Vulnerabilities found in services directly related to operating systems;
  • Vulnerabilities found in third-party components;
  • Attacks that may degrade, disrupt, or negatively impact services or user experiences (e.g., denial of service, brute force, password spraying);
  • Low level web page or network issues;
  • Reports that are purely speculative or based on behavior that has not actually occurred;
  • Automated or bulk-generated submissions without evidence of a confirmed or specific vulnerability.

Researchers must comply with all applicable laws, rules and regulations when participating in vulnerability research. Researchers must limit their activities to systems explicitly in scope and must not attempt to access, use, or otherwise interact with systems and data out of scope. Researchers must not attempt to access, use, or disclose any user information or violate the privacy of users; doing so is a violation of both this policy and Tidepool’s Terms of Use. Violations of this policy may result in restriction of access and, where appropriate, notification to relevant cyberauthorities or other actions permitted under applicable law.

Vulnerability Reporting Process

If you believe you have found a security vulnerability in any of the Tidepool Apps, the Tidepool Platform, Tidepool’s source code or Tidepool’s other systems or network security, we encourage you to let us know right away by submitting a report to security@tidepool.org. We will investigate all legitimate reports that meet the reporting criteria and do our best to remediate the problem as is appropriate.

We request that as part of your initial contact you include information available regarding:

  • A high-level description of the vulnerability;
  • Any pertinent information regarding the computers, network connectivity, and firmware configurations, or tools in use when the vulnerability was discovered;
  • Full description and disclosure of the use of AI in testing and report creation; Description of the tool or service used to generate this finding, or clear evidence from the tool;
  • A description of the potential exploit code, proof of concept, and sample packet capture as applicable;
  • When and where the vulnerability was discovered;
  • Known or suspected threats relating to the vulnerability (including any known or suspected exploitation);
  • Whether the vulnerability is known to any other parties or has been reported to government/regulatory agencies
    • If you communicated vulnerability information to vulnerability coordinators such as ICS-CERT or other parties, please advise us and provide their tracking number, if one has been made available;
  • Preferred method of communication and contact information for continued communications with you, if applicable
    • We request communication in English for clarity and efficiency.

Submission Evaluation and Response

Throughout the vulnerability verification and resolution process, we will aim to communicate with you so that expectations are clear.

  • Within three (3) calendar days of your submission, we will acknowledge reports that meet the submission requirements outlined above. You will receive confirmation that we have received your submission and are in the progress of our security team evaluating it for verification.
  • If needed, we will request additional information from the report or provide instructions to coordinate with an approved third-party vendor.
  • For a verified vulnerability, we will notify the appropriate teams to conduct risk analysis to determine the vulnerability’s potential scope and classification level.
  • If a vulnerability cannot be validated, is clearly AI generated without including this identification, or is of low value (as determined by our team), we will not respond further.
  • We will determine if a patch/upgrade or other suggested mitigations are appropriate for the vulnerability and, if so, corresponding fixes will be developed and prepared for distribution.
  • We will then publicize and release patches, upgrades, or other suggested actions. These may involve direct customer notification or public release of an advisory notification on our website.

Our Commitment to Researchers

If you give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you. In addition, we will take steps to make known that you conducted security research in good faith if someone else brings legal action against you. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third-party action based on your actions. You should contact us for clarification before engaging in conduct that you think may be inconsistent with good faith security research or unaddressed by this policy.

Depending on the nature of the vulnerability reported, we may also ask you to sign a non-disclosure agreement. In rare instances at our discretion, we may choose to offer a monetary recognition payment in connection with the responsible disclosure of meaningful, high-impact security bugs and vulnerabilities. The decision to offer any monetary recognition and the criteria for eligibility are determined exclusively by us. We provide no assurance that any report will qualify for this recognition, and individuals should not expect or rely on receiving this.

We respect your confidentiality and will not disclose your identity without permission unless required by law. We reserve the right to discontinue this program at any time or to terminate any individual’s participation in the program.

Notice

By submitting information through this process, you agree that Tidepool is allowed to use the information regarding the vulnerability (other than any personal data of the submitter/researcher) in any manner, in whole or in part, without any restriction. You also agree that submitting such information does not create any rights for you or any obligations for Tidepool.