Responsible Disclosure Policy

eClinicalWorks asks its clients and security researchers to allow eCW the opportunity to investigate and correct a vulnerability within a reasonable timeframe. This research period enables eClinicalWorks to develop, test, and distribute a corrective patch to its clients.

In the event of software vulnerabilities, eClinicalWorks determines the best course of action to remediate the situation and provide the necessary patch.

Reporting a System Vulnerability to eClinicalWorks
  • Submit a Vulnerability Report via:
  • In your report, please include the following information:
    • Product name
    • Product version
    • Area of the product where the vulnerability was detected
    • Conditions under which the vulnerability was identified
  • Include detailed information in the Vulnerability Report e-mail to enable the eCW Security Team to reproduce the vulnerability
  • Allow a reasonable amount of time for eCW to correct the issue before making any information public

Please note that this report should not be construed as encouragement or permission to perform any of the following activities:

  • Decompile, disassemble, or reverse-engineer any software
  • Modify or destroy data
  • Hack, penetrate, or otherwise attempt to gain unauthorized access to customer data in violation of applicable law
  • Adversely impact eClinicalWorks operations or systems

eClinicalWorks does not waive any rights or claims with respect to such activities or any others. This document is not intended to, and does not, replace contracted for terms and conditions previously negotiated between eClinicalWorks and its Customers.

Your help is appreciated in disclosing vulnerabilities to eClinicalWorks in a responsible manner.

Thank you,