Reporting Suspected Vulnerabilities
Healthy.io takes security very seriously and investigates all reported vulnerabilities. This page describes its practice for addressing potential vulnerabilities in any aspect of its cloud services.
If you would like to report a vulnerability or have a security concern regarding Healthy.io cloud services, please email [email protected]
A dedicated security team works alongside the Cloud Services team and investigates all reports of security vulnerabilities affecting Healthy.io products and services. To more effectively respond to a report, Healthy.io requests the provision of any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping the company understand the nature and severity of the vulnerability. As part of this process, the information shared with Healthy.io as part of this process is kept confidential. Healthy.io will not share this information with third parties without permission. It will review the submitted report and assign it a tracking number. It will then respond acknowledging receipt of the report and outlining the next steps in the process.
Evaluation by Healthy.io
After the entity submits the report, Healthy.io will work to validate the reported vulnerability. If it requires additional information to validate or reproduce the issue, Healthy.io will work with the entity to obtain it. When the initial investigation is complete, it will deliver the results with a plan for resolution and public disclosure. A few things to note about Healthy.io’s evaluation process:
Confirmation of Non-Vulnerabilities
If Healthy.io cannot validate the issue or finds it to be a flaw in a Healthy.io product, it will share it with the entity.
Vulnerability Classification
Healthy.io uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and prioritize its response. For more information on CVSS, please see the CVSS-SIG announcement at: http://www.first.org/cvss/
Healthy.io commits to being responsive and keeping the entity informed of its progress as it investigates and/or mitigates the reported security concern. The entity will receive a non-automated response to its initial contact within 24 hours, confirming receipt of the reported vulnerability. The entity will receive progress updates at least every five working days.
Public Notification
If applicable, Healthy.io will coordinate public notification of a validated vulnerability with the entity. When possible, healthy.io prefers to simultaneously post respective public disclosures with the entity. To protect its customers, Healthy.io requests that the entity does not post or share any information about a potential vulnerability in any public setting until it has researched, responded to, and addressed the reported vulnerability and informed customers if required. Also, Healthy.io respectfully asks the entity not to post or share any data belonging to its customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems. Healthy.io public notifications are in the form of security bulletins posted in its Security Trust Center. Individuals, companies, and security teams typically post their advisories on their own websites and other forums. When relevant, Healthy.io will include links to those third-party resources in its security bulletins.