See CuroAI at HLTH 2026Learn More →

Vulnerability Disclosure Policy

Enterprise and Healthcare Security Reporting Guidance

Curo is committed to working with the security community to identify and address potential vulnerabilities in our systems. We appreciate the efforts of security researchers who help us maintain the highest standards of security for our healthcare customers and their patients.

How to Report a Security Issue

Please report potential vulnerabilities to support@curoai.com

We take all security reports seriously and will respond promptly to investigate and address valid issues.

Please Include

  • A clear description of the issue and affected asset, application, URL, or environment
  • Steps to reproduce the issue and any proof of concept, screenshots, logs, or supporting evidence
  • The potential impact of the issue
  • Your contact information for follow-up

Guidelines for Responsible Testing

  • Act in good faith and avoid any activity that could disrupt services or impact customers or operations
  • Do not access, alter, store, or exfiltrate data that does not belong to you
  • Do not attempt to access protected health information, personal information, financial information, or other sensitive customer data
  • Do not perform social engineering, phishing, physical attacks, denial-of-service attacks, spam, or extortion
  • Do not publicly disclose the issue until Curo has had a reasonable opportunity to investigate and remediate

What to Expect

  • Acknowledgment of your report within 3 business days
  • An initial assessment and triage within 10 business days
  • Ongoing communication as we investigate and remediate the issue
  • Notification when the vulnerability has been resolved

Scope

This policy applies to all Curo-owned and operated systems, including:

  • curoai.com and all subdomains
  • Curo's AI voice platform and APIs
  • Customer-facing dashboards and portals
  • Mobile applications (if applicable)

Out of scope: Third-party services and infrastructure not owned or operated by Curo, social engineering of Curo employees or customers, and physical security attacks.

Safe Harbor

Curo will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in accordance with this policy.

To qualify for safe harbor, you must: comply with all guidelines in this policy, make a good faith effort to avoid privacy violations and disruption to our services, report the vulnerability promptly and provide us reasonable time to remediate before any public disclosure, and not exploit the vulnerability beyond what is necessary to demonstrate the issue.

We consider security research conducted in accordance with this policy to be authorized conduct and will work with researchers to understand and resolve issues quickly.

Report a Vulnerability

If you believe you have found a security vulnerability in any Curo system, please report it responsibly. We are committed to working with you to resolve the issue promptly.

Report a Vulnerability

Additional security contacts:

support@curoai.com
(800) 600-1415