Our Responsible Disclosure Policy

Security is a top priority for us and we take it very seriously. We put a lot of effort into our application, infrastructure, and processes to ensure that Health365 is safe and secure for our customers for their health care needs. We also put a lot of effort in ensuring the security of our customer’s data. However, in case you are able to discover any security vulnerability, we would appreciate your help in responsibly reporting it to us so that we can investigate and address it as soon as possible..

For any responsible disclosure of a security vulnerability in our website (health365online.com, or *.Health365online.com), mobile application (Health365, and Health365 Android applications), Cloud Infra or our services (APIs under www.health365online.com,app.health365online.com, api.health365online.com or likes).

Send a mail to wecareyou@Health365online.com , with complete details, that would allow us to reproduce the vulnerability. Feel free to include POC code, screenshots, videos that would make it easier for us to reproduce it. Please also include your contact details such as phone number so that we can reach you if we need more information from you.

All the communication with us should remain absolutely confidential. You must destroy all the artifacts mentioned above (code, screenshots, videos) after the vulnerability is resolved.

In case you find a vulnerability that allows system access, you should refrain from proceeding further. You should not attempt to disrupt our service, destroy data or violate the privacy of customers.

Public Disclosure Policy and Third Party Disclosure Policy

By default, this program is in "Public Nondisclosure and Third Party Nondisclosure" mode which means : "This Program does not allow public disclosure or any third party disclosure. One should not release the information about vulnerabilities found in this program to public or any third parties, failing which shall be liable for legal penalties."

CSRF:
CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
Logout Cross-Site Request Forgery (logout CSRF)
Weak CSRF in the APIs

Login/Session related:
Forgot Password page brute force and account lockout not enforced
Sessions not expiring after email change
Presence of application or web browser 'autocomplete' or 'save password' functionality
Session Timeouts

Ownership

All Confidential Information furnished to the Participant by the Company shall remain the exclusive property of the Company and the Company shall have the sole and exclusive ownership of all right, title, and interest in and to the Confidential Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by the Company under the Terms mentioned herein above.

Promptly upon the Company’s request at any time, the Participant shall return / cause to be returned to the Company all the Confidential Information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for Company, containing or reflecting any Confidential Information and give written certification accordingly.