RESPONSIBLE DISCLOSURE POLICY
At MedVol, we take the security of our systems seriously, and it is our constant endeavour to make our website/app a safe place for our customers to browse. However, in the rare case when some security researcher or member of the public identifies a vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution, work closely with them to address such vulnerabilities with urgency, and if required, provide acknowledgement for their contribution. MedVol reserves all the rights to validate the reports to be valid or not on the basis of impact of vulnerability.
Rules of Engagement
You give us reasonable time to investigate and mitigate a vulnerability that you report.
Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other MedVol users (denial of service), or sending reports from automated tools.
You do not exploit a security vulnerability that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
Violating any laws or breaching any agreements in order to discover vulnerabilities.
You do not publicly disclose details of a security vulnerability that you've reported without MedVol's permission.
Programme terms
We recognise security researchers who help us to keep users safe by reporting vulnerabilities in our services. Recognition for such reports are entirely at MedVol’s discretion, based on risk, impact and other factors. For recognition by MedVol, you first need to meet the following requirements:
•Adhere to our Responsible Disclosure Policy
•Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that MedVol ultimately determines the risk of a vulnerability, and that many software bugs are not security vulnerabilities.)
•Your report must describe a problem involving one of the products or services listed under "Scope".
•We specifically exclude certain types of potential security vulnerabilities; these are listed under "Exclusions”.
•If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations or other confidential information) while investigating a vulnerability, make sure that you disclose this in your report.
In turn, we will follow these guidelines when evaluating reports under our responsible disclosure programme:
•We investigate and respond to all valid reports. Due to the volume of reports that we receive, however, we prioritise evaluations based on risk and other factors, and it may take some time before you receive a reply.
•We determine recognition in hall of fame based on a variety of factors, including (but not limited to) impact, ease of exploitation and quality of the report. Note that extremely low-risk vulnerabilities may not qualify for hall of fame at all.
•In the event of duplicate reports, we give recognition to the first person to submit a vulnerability. (MedVol determines duplicates and may not share details on the other reports.)
Note that your use of MedVol services including for the purposes of this programme, is subject to MedVol’s Terms and Policies. We may retain any communications about security vulnerabilities that you report for as long as we deem necessary.
Scope
• Android MedVol
• iOS MedVol
• Android MedVol Assist
• iOS MedVol Assist
How to Report a Vulnerability?
If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:
• Please submit the vulnerability report form with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
• If possible, share with us your contact details (phone number), so that our security team can reach out to you if further inputs are needed to identify or close the problem.
• If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our system’s ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
• While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
Report a Vulnerability
Send an email to contact@medvol.in
Qualifying Vulnerabilities
Any design or implementation issue that is reproducible and substantially affects the security of MedVol users is likely to be in scope for the program. Common examples include:
• Injections
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Remote Code Execution (RCE)
• Authentication/Authorisation flaws
• Domain take-over vulnerabilities
• Able to take-over other MedVol user accounts (while testing, use your own another test account to validate)
• Any vulnerability that can affect the MedVol Brand, user data and financial transactions
Exclusions
The following bugs are unlikely to be eligible:
• Connected services
• Partner & Vendor websites
• Vendor Endpoints
• 3rd Party applications
If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We may in our sole discretion modify or amend the scope of this policy from time to time.
The following type of tests are not authorized:
•User Interface Bugs or Typos
•Network denial of service (DoS or DDoS) tests
•Physical Testing (e.g. Office Access, open doors, tailgating), social engineering (e.g. phishing), or any other non-technical vulnerability testing
Acknowledgements
We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to acknowledge your contribution.