Security

Responsible disclosure

Trimu handles sensitive health data for thousands of UK patients. Protecting it is a clinical and regulatory obligation we take as seriously as the medicine itself. If you’ve found a vulnerability, we want to hear from you.

Safe Harbour

Our commitment to security researchers

Good-faith research makes the internet safer. If you follow this policy when investigating Trimu, we won’t take legal action against you.


No legal action

We will not pursue civil or criminal action against researchers who act in good faith, follow this policy, and disclose privately. Your work helps protect our patients.


Direct clinical input

Reports go straight to our engineering team and are reviewed alongside our clinical governance leads. No ticket queues, no offshore triage — your finding gets eyes that can act on it.


Public credit

With your permission, we’ll acknowledge your contribution in our security hall of fame once a fix is shipped. We don’t currently offer cash bounties — we’re a clinician-owned UK clinic, not a VC-backed startup.

Programme Rules

Testing within bounds

Because Trimu processes patient health information, our boundaries are tighter than most. Please follow these rules so we can protect both you and the people who trust us with their care.


What we ask of you

Test against your own account only. Stop the moment you encounter another patient’s data. Don’t exfiltrate, modify, or destroy anything. Give us reasonable time to fix the issue before publishing — typically 90 days.


In scope

trimu.com, portal.trimu.com, and any subdomain we operate. Authentication, authorisation, payment flows, prescription handling, and anything that could expose patient data are our highest-priority categories.


Out of scope

Social engineering of staff or clinicians, physical attacks, denial-of-service testing, automated scanner output without proof of impact, and anything affecting third-party services we don’t control.

The Process

How to report and what happens next

A predictable process so you know exactly where your report stands at every step.

How to report

Email [email protected] with as much detail as you can. Reports in English are easiest for us to triage quickly, but we’ll work with whatever you send.

What to include

A clear description of the vulnerability, the affected URL or endpoint, reproducible steps, your assessment of the impact, and any proof-of-concept material. Screenshots and short videos help. Please don’t include patient data — even redacted — in your report.

Encrypted communication

For sensitive findings, request our PGP key in your initial email and we’ll send it on a separate channel. We support encrypted disclosure throughout the process.

Initial response — within 2 working days

A real engineer will acknowledge your report and confirm we’ve received it. Not an autoresponder.

Triage — within 5 working days

We’ll validate the finding, agree a severity rating with you, and share an initial view on the timeline for a fix. If we can’t reproduce it, we’ll come back with specific questions rather than closing the report.

Resolution — based on severity

Critical issues that risk patient data are patched within 72 hours. High-severity issues within 14 days. Medium and low severity within 90 days. We’ll keep you updated as work progresses and confirm when the fix is shipped.

FAQs

Researcher questions answered

Not currently. Trimu is a clinician-owned UK clinic without external venture funding, so we can’t match the bounties offered by larger platforms. What we do offer is a fast, respectful process, public credit in our hall of fame (with your permission), and the knowledge that your work directly protects patients receiving real medical care.

Stop testing immediately, do not save or share what you saw, and tell us straight away. As long as you acted in good faith and report it promptly, you remain protected under our safe harbour. We will need to know what was exposed so we can meet our regulatory notification obligations under UK GDPR.

Yes, once a fix is shipped and we’ve agreed a disclosure date together. We’re happy for you to write up your work — we’ll often coordinate publication so we can credit you and link to your post. Please don’t publish details of an unpatched vulnerability, as this puts patients at risk.

Only with proof of real-world impact. We receive a lot of low-quality automated reports and they take time away from genuine findings. If you’ve validated the issue manually, demonstrated exploitability, and explained why it matters, we’ll happily review it.

If you’ve found a vulnerability in a third-party service we rely on (a payment processor, hosting provider, or similar), report it directly to the vendor. If the issue affects how that service is integrated with Trimu and creates a vulnerability on our side, we’d like to hear about it.

No. Reports submitted under this policy in good faith are confidential to our security team. We will not contact your employer, share your identity publicly without consent, or report you to law enforcement. The only exception would be activity that clearly falls outside good-faith research — for example, deliberate data theft or extortion.

Get In Touch

Found something? Tell us.

A quick email is all it takes. We’ll come back to you within two working days, and a real engineer will be on the other end.