Least access
Patient pages are gated server-side, administrative pages require a separate role, and sensitive actions require stronger checks.
Security is part of the product boundary, especially when accounts, health-related interactions, camera access, and voice access share one experience.
Effective July 15, 2026Patient pages are gated server-side, administrative pages require a separate role, and sensitive actions require stronger checks.
Camera and microphone are default-denied and allowed only on the focused session route after a user acts.
Content Security Policy, CSRF checks, RLS, rate limiting, audit events, input validation, and restricted service credentials protect different boundaries.
Email hello@costpluspt.com with a concise description, affected URL, impact, and safe reproduction steps. Do not include passwords, access tokens, private health details, or another person’s data in the first message.
Do not access or modify another user’s data, use social engineering, perform denial-of-service testing, degrade production, send malware, run large automated scans, or publicly disclose an issue before we have a reasonable opportunity to investigate. We do not authorize testing that violates law or third-party terms.
We will acknowledge a credible report when possible, investigate based on severity, and communicate material updates. We do not currently operate a bounty program and cannot promise payment.