Pharmeasy Vulnerability Disclosure Policy
  • Introduction
  • Vulnerability Disclosure Policy
    • Authorization
    • Program Guidelines
    • Scope
      • In Scope
      • Out Of Scope
    • Reporting an Issue
    • Recognition
      • Eligibility for Hall of Fame
    • Hall of Fame
Introduction

PharmEasy delivers digital healthcare for everyone by providing access to appointments, prescription and tele consultation with doctors. Doctors leverage our best in class practice management app to ease practice, patient & prescription management. PharmEasy is committed to maintaining the security and integrity of our products. We value the privacy of our customers, doctors and partners and understand the importance of critical Healthcare data. We strive to safeguard our websites, mobile applications as well as internal systems and welcome vulnerability reports that can help further enhance the security, integrity and privacy of our systems. We take each and every vulnerability disclosure seriously and are committed to creating a safe & transparent environment to report vulnerabilities.

Vulnerability Disclosure Policy
Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Pharmeasy will not initiate or recommend legal action related to your research.

Program Guidelines
  • Do not cause harm to Pharmeasy, our customers, our business partners, our affiliates, or others;
  • Do not conduct social engineering, including the use of spear phishing tactics, of Pharmeasy personnel, clients, customers, business partners or contractors.
  • Do not impact the integrity or availability of any systems or users or the operation of our applications, systems or services, including through any type of brute force attacks, any types of denial of service attacks, destruction of data, and interruption or degradation of our services;
  • Do not publicly disclose or share with a third party any potential vulnerabilities reported under this program without receiving our express written authorization in accordance with the confidentiality provision below.
  • Do not compromise the privacy or safety of our employees, customers, or users.
  • Do provide a clear fact-based description of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability). Please include a description and explanation of the security issue identified and proof of concept (if applicable)
  • Do not alter, remove, or upload files in any situation and/or part of any remote code execution (RCE) exploit. Do not read sensitive system files or modify file permissions in any situation. Furthermore, you are not permitted to interact with the underlying OS or services or any other components such but not limited to databases, jump servers, application servers, etc.
  • Pharmeasy does not participate in compensated bug bounty awards at this time;
  • Pharmeasy may choose to disregard submissions by parties who submit a high volume of low quality, incomplete, and/or non- actionable reports;
  • Do comply with all applicable laws.
Scope
In Scope

Web properties owned by Pharmeasy, specifically

If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately

  • Personally identifiable information
  • Financial information (e.g. credit card or bank account numbers)
  • Proprietary information or trade secrets of companies, partners or vendors.
  • If the identified vulnerability can be used to potentially extract information sensitive information related to customers or internal systems, or impact our ability to function normally, then stop your test and notify us immediately. This is absolutely essentials for us to consider your disclosure a responsible one. We may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impacting our systems.
Out Of Scope
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS or DDoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Physical or social engineering attempts (this includes phishing attacks against EG employees).
  • Disclosure of known public files or directories.
  • Use of outdated software
  • Reports from automated tools or scans.
  • Mail configuration issues including SPF, DKIM, DMARC settings.

Any services not expressly listed In Scope, such as any connected services, partner & vendor websites are excluded from scope.

  • Connected services
  • Partner Endpoints
  • Vendor Endpoints
  • Delivery Endpoints
  • Warehouse Endpoints
  • 3rd Party Applications
Reporting an issue

Vulnerabilities discovered on our systems while testing within the scope of this policy can be reported by emailing it to infosec@pharmeasy.in Please ensure that the following information is available when submitting a vulnerability report.

  • Description of the location and potential impact of the vulnerability. Please include any CVEs (Common Vulnerabilities and Exposures) when available.
  • A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
  • Any technical information and related materials we would need to reproduce the issue.
  • If possible please include the contact details (email, mobile number) to let our Security team reach out to you for any clarifications.
Note that reports that include only crash dumps or other automated tool output will not be accepted.

Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors or open source projects.

Recognition

Pharmeasy does not have a bounty/cash reward program for vulnerability disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we will gladly acknowledge your contribution publicly in this section of our website. Of course, this will only be done if you want a public acknowledgement.

Eligibility for Hall of Fame
  • Must be the first person to responsibly disclose the vulnerability
  • Vulnerability discovered must be found when testing within the scope of this policy
  • Reported vulnerability significantly impacts security and integrity of Pharmeasy products or impacts the privacy of customer or partner data.
  • Vulnerabilities are rated Critical, High, Medium and low, Only vulnerabilities rated Critical and High are eligible for the Hall of Fame.

Hall of Fame

2021
Sandeep Srinivasan
https://www.linkedin.com/in/sandeep-srinivasan-311516139/
Aakash Patel
https://twitter.com/AAKASH_6250
2023
Ankur Pathak
https://www.linkedin.com/in/ankur-pathak-616521194
2024
Rishabh Jain
https://www.linkedin.com/in/rishabh-jain-623b20169
Aditya Patel
https://www.linkedin.com/in/aditya-patel-b32a97243
1 Lakh+ Products
We maintain strict quality controls on all our partner retailers, so that you always get standard quality products.
Secure Payment
100% secure and trusted payment protection
Easy Return
We have a new and dynamic return window policy for medicines and healthcare items. Refer FAQs section for more details.
Download the App for Free