Skip to Main Content

Responsible Disclosure Program for Cybersecurity Researchers

CommonSpirit Health is committed to maintaining the highest standards of security and privacy for our patients, employees, and partners. As a non-profit Catholic organization dedicated to advancing health care across the United States, we take our responsibility to protect sensitive information seriously. We believe in transparency, collaboration, and proactive measures to ensure that our systems, services, and products remain secure.

If you believe you may have identified a potential security vulnerability in any of CommonSpirit Health's products, systems, or assets, we encourage you to report it in accordance with our Responsible Disclosure Program  for Cybersecurity Researchers. By doing so, you will be helping us to protect our resources and improve the security and privacy of those we serve.

Thank you for your dedication to keeping our digital environment safe. Please review the following guidelines carefully before submitting a report.

Responsible Disclosure Program Guidelines

If you are a security researcher or ethical hacker who has identified a potential security vulnerability, please follow these guidelines to ensure that the disclosure is handled responsibly and in alignment with our goals:

  1. Do not cause harm: Do not engage in any activity that could result in harm to CommonSpirit Health, our patients, employees, or the organization’s systems. This includes any action that could degrade or disrupt our services or systems.

  2. Compliance with laws: Ensure that your activities are compliant with all applicable local, state, and national laws. Do not engage in any activities that would result in fraudulent or unauthorized financial transactions, access to accounts, or other forms of abuse. Do not engage in activities that would put CommonSpirit Health or you at risk of legal action or liability.

  3. Data protection: Under no circumstances should you access, modify, store, or share any personal, confidential, or sensitive data without proper authorization. If you discover any restricted or protected information such as personally identifiable information (PII) or protected health information (PHI) during your investigation, please stop your research immediately, securely remove the data from your systems, and notify us right away.

  4. Confidentiality: Do not disclose or publish any information about the vulnerability or your findings to third parties or publicly until the issue has been addressed and resolved.

  5. Respect for systems: We ask that you do not perform any actions that could negatively affect our operational systems, including denial-of-service (DoS) attacks, data manipulation, or other forms of resource exhaustion.

Submission Process

To submit a potential vulnerability, please follow the submission format outlined below. Once your report is received, we will acknowledge your submission within 5 business days and will keep you informed about the progress of your submission.

Please include the following details in your vulnerability report:

  • Vulnerability summary: Provide a brief and clear description of the vulnerability.

  • Affected targets: Identify the affected product, system, or service.

  • Steps to reproduce: Detail the steps required to reproduce the issue.

  • Tools used: List any tools or methods employed to discover the vulnerability.

  • Impact: Describe the potential impact of the vulnerability.

  • Screenshots or artifacts: If possible, provide visual aids to support your findings (screenshots, videos, logs, etc.).

To report a potential security vulnerability, please email your findings to:

SecurityReporting@commonspirit.org

Our security team will respond promptly to acknowledge your submission and initiate an investigation.

Out-of-Scope Vulnerabilities

The following types of vulnerabilities are considered out of scope for CommonSpirit Health's Responsible Disclosure Program and should not be reported:

  • Physical security testing of CommonSpirit Health's facilities.

  • Social engineering attacks (e.g., phishing, baiting, credential theft, etc.).

  • Denial-of-service (DoS) attacks or distributed denial-of-service (DDoS) attacks.

  • Spam or other unwanted, unsolicited messages.

  • Resource exhaustion attacks or attempts to overwhelm systems or services.

  • Vulnerabilities related to third-party applications not developed or controlled by CommonSpirit Health.

Thank you for helping us make the digital world a safer place for everyone.