Responsible Disclosure Policy

LAST UPDATED: OCT 1, 2025

Security is a top priority for Cadence, and we believe that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve identified a potential vulnerability in our systems, we ask that you report it to us in good faith. We are committed to working with researchers to resolve issues promptly and responsibly.

Disclosure Policy

If you discover a potential security vulnerability, please let us know by emailing us at security@cadencerpm.com. We will acknowledge your report within seven business days. Critical issues will be triaged within ten business days, and we will prioritize resolution accordingly. 

Please give us a reasonable amount of time to investigate and resolve the issue before disclosing it to the public or a third party. We value coordinated disclosure and will keep you updated on our progress.

Authorization and Safe Harbor

We consider security research conducted in good faith and in compliance with this policy to be authorized. Cadence will not initiate or support legal action against researchers who follow this policy. Should legal action be initiated by a third party, we will make it known that your activities were authorized under this policy. 

Testing Guidelines

Security research under this policy includes responsible testing practices. You should:

  • Notify us promptly after discovering a potential issue.
  • Limit testing to what’s necessary to confirm vulnerability.
  • Avoid high-volume, low-quality submissions.
  • Refrain from violating any applicable laws or regulations during your testing.
  • Stop testing and notify us immediately if you encounter sensitive data, including personally identifiable information, financial details, or proprietary information. 

Out-of-Scope Activities

The following activities are not authorized under this policy:

  • Denial of service (DoS or DDoS) attacks or tests that degrades service availability. 
  • Physical security testing (e.g. office access, open doors, tailgating).
  • Social engineering or phishing attempts.
  • Automated scanning that produces large volumes or low-quality reports. 

Scope

This policy applies to the Cadence platform available at https://cadence.care, including any related subdomains or services operated by Cadence.

Contact

Cadence is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@cadencerpm.com.

‍Thank you for helping to keep Cadence and our users safe!