Legal

Security Vulnerability Disclosure Program

Last Updated: June 10, 2026

Introduction

Kin Health Technologies, Inc (“Kin Health”) is committed to protecting the privacy and security of our users. We welcome responsible security research and appreciate the efforts of individuals who help identify potential vulnerabilities in the Kin Health-owned assets, services, applications and systems (collectively, “Systems”).

If you believe you have discovered a security vulnerability affecting a System, we encourage you to report it to us. This security vulnerability disclosure program (the “Program”) explains the types of issues we are interested in receiving, how reports should be submitted, and how Kin Health reviews and evaluates vulnerability disclosures, and what type of compensation you may be awarded.

This Program is intended to support good-faith security research. Any monetary awards offered under this Program are discretionary and subject to Kin Health’s review and validation process.

Kin Health reserves the right to amend, modify, or change any provision of this Program at any time in its sole and absolute discretion.

Scope of Activities

This Program applies to Kin Health-owned Systems.

Systems Within Scope

Examples of Systems that may be tested include:

  • Kin Health-owned websites.
  • Kin Health mobile and computer applications.
  • Kin Health APIs and back-end services.
  • Kin Health-managed cloud infrastructure, databases and storage systems.
  • Other production systems owned and operated by Kin Health.

Vulnerabilities Within Scope

We are particularly interested in reports involving:

  • Authentication vulnerabilities.
  • Authorization or access control failures.
  • Unauthorized access to user information.
  • Exposure of personal or healthcare-related data.
  • Cloud, storage, or infrastructure misconfigurations.
  • Account takeover vulnerabilities.
  • Privilege escalation vulnerabilities.
  • Vulnerabilities affecting the confidentiality, integrity, or availability of Systems.

Out of Scope

The following fall outside the scope of this Program:

  • Theoretical issues without demonstrated impact.
  • Missing security headers without a demonstrated security consequence.
  • Public content intentionally made available without authentication.
  • Rate limiting concerns without demonstrated security impact.
  • Clickjacking on non-sensitive pages.
  • Denial-of-service, volumetric, load, or stress testing of any kind.
  • Previously reported or remediated vulnerabilities.
  • Vulnerabilities affecting third-party systems not owned or controlled by Kin Health.
  • Research conducted by current or former employees, contractors, vendors, or service providers of Kin Health, or their immediate family members, within twelve (12) months of their separation or engagement, without Kin Health's prior written consent.

Kin Health reserves the right to determine whether a report falls within scope and whether a reported issue qualifies for payment to you.

Research Guidelines

You may perform limited, non-destructive testing necessary to identify and validate a potential vulnerability.

Examples of permitted activity include:

  • Validating a suspected vulnerability.
  • Performing limited proof-of-concept testing to demonstrate impact.
  • Reporting affected URLs, capturing screenshots, request and response examples, or other supporting evidence.

You must stop testing once sufficient evidence has been gathered to demonstrate the issue.

The following activities are not permitted:

  • Bulk downloading, scraping, indexing, or exfiltration of data.
  • Accessing or retaining more user information than reasonably necessary to demonstrate a vulnerability and its impact.
  • Service disruption or denial-of-service testing.
  • Social engineering, physical attacks, phishing, or employee targeting.
  • Malware deployment or persistence mechanisms.
  • Modification, deletion, or destruction of data outside of a narrow proof of concept.
  • Public disclosure except as permitted in Section 4 below.

If you encounter personal or healthcare-related data, or other sensitive data during testing, you must stop further access to that data and promptly notify Kin Health.

Reporting Process

To report a vulnerability, please provide:

  • A detailed description of the issue.
  • The specific affected System.
  • Step-by-step instructions necessary to reproduce the issue.
  • Supporting evidence, where available.
  • Contact information for follow-up.

Reports should be submitted to [email protected].

Upon receipt of your report, Kin Health will review the report, assess reproducibility and impact, and determine whether further information is required. Kin Health will notify you if your report has been received and being analyzed. You may be contacted for additional information or validation during the review process.

You must refrain from publicly disclosing vulnerability details unless authorized in writing by Kin Health. Any request to disclose such information will be reviewed or rejected by Kin Health at its sole discretion.

Compensation / Monetary Rewards

Kin Health may, in its sole discretion, offer monetary rewards for validated vulnerability reports.

Your eligibility to receive compensation is based on several factors, including, but not limited to:

  • The severity and potential impact.
  • Ease and likelihood of exploitability.
  • The type and nature of affected Systems and data.
  • The quality and completeness of your report.
  • Your compliance with this Program.
  • If a monetary reward is approved, you will be required to enter into the Kin Health’s standard Security Vulnerability Disclosure Agreement governing the terms of payment, confidentiality, and other terms and conditions.

To be eligible to receive compensation under this Program, you must: (a) be at least eighteen (18) years of age or the age of majority in your jurisdiction, whichever is greater; (b) not be a current or former employee, contractor, or vendor of Kin Health (as described above); (c) not be a resident of a country subject to U.S. sanctions or otherwise prohibited from receiving payments under applicable U.S. law; and (d) not appear on any U.S. government restricted party or sanctions list, including those maintained by the office of foreign assets control (OFAC). Kin Health reserves the right to verify eligibility prior to issuing any payment, if and when earned.

The following sets forth a guideline of anticipated compensation that you will be eligible to receive for eligible reports:

SeverityExample of Issue(s) Contained in ReportRange of Compensation
InformationalBest-practice recommendations, duplicate reports, previously known issues$0
LowLow-impact exposure, metadata disclosure, limited enumeration or low-impact misconfigurations affecting non-sensitive or intentionally public assets$100-$250
MediumIssue affecting multiple users or requiring little/no user interaction with limited confidentiality impact, including enumeration that exposes user-uploaded personal data but does not expose sensitive healthcare records, credentials, account takeover, or backend compromise$500-$1,000
HighBroad user-data exposure, account takeover path, access to sensitive healthcare data, severe authorization bypass, or high-confidence path to significant customer harm$1,500-$3,000
CriticalSystemic compromise, production credential exposure with material access, remote code execution, mass compromise, or broad compromise of sensitive healthcare data$5,000+

The foregoing compensation ranges are provided for illustrative purposes only. Kin Health will have sole and absolute discretion in determining the severity classifications, impact, exploitability, reproducibility, usefulness of the report, affected Systems and data, amount of eligible compensation to be received, and compliance with the Program.

All compensation payable under this Program is discretionary and will be determined solely by Kin Health. The submission of a report does not guarantee any compensation.

If a report is approved for compensation, to receive such compensation, you will be required to sign Kin Health’s standard Security Vulnerability Disclosure Agreement, including providing information necessary to verify eligibility and process such applicable payment.

Any compensation received pursuant to the Program is subject to applicable law and Kin Health’s verification of the recipient’s eligibility to receive payment.

Any payments made under this Program may constitute taxable income. You are solely responsible for determining and satisfying any tax obligations arising from your participation in the Program or receipt of any compensation thereunder. The Company may report payments to applicable tax authorities and may withhold taxes from payments to the extent required by applicable law.

Safe Harbor

Kin Health supports good-faith security research conducted in accordance with this Program.

If you make a good-faith effort to comply with this Program, Kin Health will consider your security research to be authorized for purposes of this Program. Activities conducted in accordance with this Program’s terms, conditions, and requirements, will not be considered a violation of Kin Health’s Terms of Service, or similar restrictions applicable to Kin Health Systems.

Kin Health will not initiate or support legal action against individuals who conduct security research in good-faith under this Program, including claims under the Computer Fraud and Abuse Act (CFAA), applicable state computer fraud or unauthorized access statutes, or the Digital Millenium Copyright Act (DMCA), including its anti-circumvention provisions under 17. U.S.S. § 1201. This commitment applies to researchers who promptly report vulnerabilities, avoid privacy violations and service disruption, and otherwise comply with this Program.

If you encounter personal or healthcare-related information or data, or other confidential data during your research, you must cease further access to such information and promptly notify Kin Health. Such information must not be retained, disclosed, transferred, or used for any purpose other than documenting and reporting the vulnerability to Kin Health.

If a third party initiates legal action against you for activities conducted in good faith under this Program, Kin Health will make reasonable efforts to confirm that your research was authorized under this Program.

The protections described in this Section 6 of the Program apply only to activities conducted in accordance herewith. Such protections do not apply to conduct involving service disruption, extortion, social engineering, malware deployment, unauthorized disclosure of information, access beyond what is reasonably necessary to validate a vulnerability, or other activities outside the scope of authorized testing.

If you are uncertain whether a particular testing activity is permitted, please contact Kin Health before proceeding.

Contact

Questions regarding this program or vulnerability reports may be directed to:

[email protected]

Use Kin for your next appointment

Download Kin

Completely free. Always private.