TOM MMS

Effective April 19, 2026 · version 2026-04-19-v1

Responsible Disclosure Policy

Last updated: 2026-04-19

TOM Pharmacy Consulting, LLC ("TOM") takes the security of the TOM MMS platform seriously and appreciates the work of researchers who report issues responsibly. This page describes how to report a vulnerability and what you can expect from us in return.

How to report

Email security@tompharmacy.com with:

  • A concise description of the issue.
  • Steps to reproduce — please include the minimum payload or code needed to demonstrate the vulnerability. Screenshots and short clips help.
  • The affected URL(s) and/or route(s).
  • Your contact preference (email is fine; we will not require you to create an account).

If the issue involves PHI exposure, please avoid collecting, viewing, storing, or disclosing any real patient data beyond the minimum needed to demonstrate the finding. Use test accounts where possible.

Encrypted submissions: if you prefer, request our PGP key by email and we will reply with the key before you send the report.

Response commitments

  • Acknowledgment: within 24 hours of receipt, on business days.
  • Initial triage: within 5 business days, with an assigned severity and a plan.
  • Fix target: 30 calendar days for confirmed vulnerabilities, sooner for SEV1 issues. We will keep you updated if an issue requires longer.
  • Public credit: we publish a short acknowledgment at your option once the issue is resolved. You may also remain anonymous.

Scope

In scope:

  • app.tompharmacy.com (production)
  • staging.app.tompharmacy.com (staging)
  • tompharmacy.com (marketing site)
  • Associated APIs under those domains.

Out of scope:

  • Denial-of-service attacks of any kind (including Slowloris, slow HTTP, amplification).
  • Social engineering of TOM personnel, customers, or subprocessor employees.
  • Physical attacks against TOM or subprocessor facilities.
  • Issues in third-party services (Supabase, Vercel, Stripe, Resend, MailerLite, Google Workspace, Sentry, Anthropic). Report those to the vendor directly; we will collaborate if the report also implicates TOM.
  • Reports requiring browser extensions, malware, or MITM conditions we do not control.
  • Missing HTTP security headers that have no exploitable impact (please check our Security Posture first).
  • Spam, bulk scanner output, or automated-tool outputs without a demonstrated exploit.

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, TOM considers your activities authorized and will not pursue civil or criminal action or initiate a complaint to law enforcement for inadvertent violations of:

  • the Computer Fraud and Abuse Act (18 U.S.C. § 1030);
  • the DMCA anti-circumvention provisions (17 U.S.C. § 1201); or
  • applicable anti-hacking laws, including Texas Penal Code § 33.02, to the extent such laws apply.

You are expected to:

  • Stop testing and report the issue as soon as you identify a potential vulnerability.
  • Not exploit the issue (e.g., exfiltrate data, pivot to other systems, disrupt service).
  • Not access or modify data that does not belong to you beyond the minimum needed to demonstrate the vulnerability.
  • Not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate.

If in doubt about whether your activity is in scope of this policy, ask us first — contacting security@tompharmacy.com does not waive any rights.

Out of scope for bounty

We do not currently operate a paid bug-bounty program. We may provide recognition (credit, swag) for high-quality reports at our discretion. A formal bounty program may launch in the future; this page will be updated when it does.

Contact

  • Security reports: security@tompharmacy.com
  • General support: support@tompharmacy.com
  • Privacy inquiries: privacy@tompharmacy.com
  • RFC 9116 metadata: /.well-known/security.txt

Thank you for helping keep TOM MMS and the patients whose data it protects safe.