- Vulnerability Disclosure Policy
Pharmeasy is committed to maintaining the security and integrity of our products. We value the privacy of our customers and partners and understand the importance of critical Healthcare data. We strive to safeguard our systems and data in compliance with security best practices and standards. While every effort is expended to ensure that the websites, mobile applications as well as internal systems are secured we welcome vulnerability reports that can help further enhance the security, integrity and privacy of our systems. We take each and every vulnerability disclosure seriously and are committed to creating a safe & transparent environment to report vulnerabilities.
- Reporters submitting a Vulnerability to Pharmeasy agree to be bound by the terms of the Vulnerability Disclosure Policy (“Terms“)
- We explicitly specify what is in scope and out of scope when discovering vulnerabilities and clearly mention the same in the sections below.
- Reporters should make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Reporters should only use/exploit to the extent necessary to confirm a vulnerability.
- Reporters should not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems.
- Once a reporter establishes that a vulnerability exists, or encounters any sensitive data, the reporter should stop any further testing and notify us immediately.
- Reporters shall keep any information about discovered vulnerabilities confidential after submitting the vulnerability report.
- We discourage violation of any applicable laws and breach of any agreements in order to discover vulnerabilities.
- Pharmeasy reserves the right to pursue legal action when the terms of this policy is violated or when testing is performed outside the scope of this policy.
- Pharmeasy may include an NDA and also make updates to this policy from time to time.
- The decision made by our security team regarding validity, severity & impact of a vulnerability will be considered final and cannot be contested.
- We may share your vulnerability reports with any affected partners, vendors or open source projects.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Pharmeasy will not initiate or recommend legal action related to your research.
Web properties owned by Pharmeasy, specifically
If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately
- Personally identifiable information
- Financial information (e.g. credit card or bank account numbers)
- Proprietary information or trade secrets of companies, partners or vendors.
- If the identified vulnerability can be used to potentially extract information sensitive information related to customers or internal systems, or impact our ability to function normally, then stop your test and notify us immediately. This is absolutely essentials for us to consider your disclosure a responsible one. We may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impacting our systems.
Any services not expressly listed In Scope, such as any connected services, partner & vendor websites are excluded from scope.
- Connected services
- Partner & vendor websites
- Vendor Endpoints
- Delivery App Endpoints
- Warehouse Endpoints
- 3rd Party Applications
If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We may in our sole discretion modify or amend the scope of this policy from time to time.
- User interface bugs or typos.
- Network denial of service (DoS or DDoS) tests.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
Vulnerabilities discovered on our systems while testing within the scope of this policy can be reported by emailing it to firstname.lastname@example.org Please ensure that the following information is available when submitting a vulnerability report.
- Description of the location and potential impact of the vulnerability. Please include any CVEs when available.
- A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
- Any technical information and related materials we would need to reproduce the issue.
- If possible please include the contact details (email, mobile number) to let our Security team reach out to you for any clarifications.
Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors or open source projects.
Pharmeasy does not have a bounty/cash reward program for vulnerability disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we will gladly acknowledge your contribution publicly in this section of our website. Of course, this will only be done if you want a public acknowledgement.
- Must be the first person to responsibly disclose the vulnerability
- Vulnerability discovered must be found when testing within the scope of this policy
- Reported vulnerability significantly impacts security and integrity of Pharmeasy products or impacts the privacy of customer or partner data.
- Vulnerabilities are rated Critical, High, Medium and low, Only vulnerabilities rated Critical and High are eligible for the Hall of Fame.