Security
Responsible disclosure
Trimu handles sensitive health data for thousands of UK patients. Protecting it is a clinical and regulatory obligation we take as seriously as the medicine itself. If you’ve found a vulnerability, we want to hear from you.
Safe Harbour
Our commitment to security researchers
Good-faith research makes the internet safer. If you follow this policy when investigating Trimu, we won’t take legal action against you.
No legal action
We will not pursue civil or criminal action against researchers who act in good faith, follow this policy, and disclose privately. Your work helps protect our patients.
Direct clinical input
Reports go straight to our engineering team and are reviewed alongside our clinical governance leads. No ticket queues, no offshore triage — your finding gets eyes that can act on it.
Public credit
With your permission, we’ll acknowledge your contribution in our security hall of fame once a fix is shipped. We don’t currently offer cash bounties — we’re a clinician-owned UK clinic, not a VC-backed startup.
Programme Rules
Testing within bounds
Because Trimu processes patient health information, our boundaries are tighter than most. Please follow these rules so we can protect both you and the people who trust us with their care.
What we ask of you
Test against your own account only. Stop the moment you encounter another patient’s data. Don’t exfiltrate, modify, or destroy anything. Give us reasonable time to fix the issue before publishing — typically 90 days.
In scope
trimu.com, portal.trimu.com, and any subdomain we operate. Authentication, authorisation, payment flows, prescription handling, and anything that could expose patient data are our highest-priority categories.
Out of scope
Social engineering of staff or clinicians, physical attacks, denial-of-service testing, automated scanner output without proof of impact, and anything affecting third-party services we don’t control.
The Process
How to report and what happens next
A predictable process so you know exactly where your report stands at every step.
How to report
Email [email protected] with as much detail as you can. Reports in English are easiest for us to triage quickly, but we’ll work with whatever you send.
What to include
A clear description of the vulnerability, the affected URL or endpoint, reproducible steps, your assessment of the impact, and any proof-of-concept material. Screenshots and short videos help. Please don’t include patient data — even redacted — in your report.
Encrypted communication
For sensitive findings, request our PGP key in your initial email and we’ll send it on a separate channel. We support encrypted disclosure throughout the process.
Initial response — within 2 working days
A real engineer will acknowledge your report and confirm we’ve received it. Not an autoresponder.
Triage — within 5 working days
We’ll validate the finding, agree a severity rating with you, and share an initial view on the timeline for a fix. If we can’t reproduce it, we’ll come back with specific questions rather than closing the report.
Resolution — based on severity
Critical issues that risk patient data are patched within 72 hours. High-severity issues within 14 days. Medium and low severity within 90 days. We’ll keep you updated as work progresses and confirm when the fix is shipped.
FAQs
Researcher questions answered
Get In Touch
Found something? Tell us.
A quick email is all it takes. We’ll come back to you within two working days, and a real engineer will be on the other end.





