Security

Security and responsible disclosure

Regiome is designed as a read-only public-source tool surface. The service should not receive patient records, PHI, credentials, or private source systems.

Security posture

• Read-only tools for public source systems.
• No report submission or upstream record mutation.
• No intended EHR, patient intake, billing, or PHI workflow.
• Credential-bearing upstream requests should keep secrets out of logs and provenance URLs.

Reporting a vulnerability

Send suspected vulnerabilities to [email protected]. Include the affected endpoint, reproduction steps, impact, and any relevant request IDs.

Testing boundaries

Do not access, modify, delete, exfiltrate, or disrupt data. Do not run denial-of-service testing, social engineering, spam, credential attacks, or testing against third-party upstream APIs.

MCP endpoint

The planned production MCP endpoint is https://mcp.regiome.io/mcp. It is a machine endpoint for ChatGPT app integration.