Vulnerability Disclosure Policy

Introduction

At GetWellNetwork, Inc. (Get Well), we understand that the security of our systems, users’ data, services, and physical properties is paramount. We acknowledge the invaluable role that the security research community plays in helping us maintain these priorities. We have established this Vulnerability Disclosure Policy to guide and encourage responsible security research.

Scope

This policy covers all digital and physical assets under the purview of Get Well. This includes, but is not limited to, software systems, hardware devices, services, buildings, and other properties owned by Get Well, except those explicitly deemed out of scope.

Any systems, data, or physical properties not owned by Get Well fall outside this policy’s scope. Furthermore, systems actively used by patients or containing patient data are strictly prohibited from testing. This prevents unauthorized access, averts potential harm, and protects privacy.

Commitments

When you engage with us according to this policy, you can anticipate that we will:

  • Extend a Safe Harbor for your vulnerability research, provided it aligns with this policy;
  • Collaborate with you to understand and validate your report, aiming to provide an initial response to the report within 72 business hours of submission;
  • Acknowledge your contribution on our https://getwellnetwork.com/researcherswalloffame page if you are the first to report the vulnerability, and we implement a code or configuration change.

Expectations

In adherence to this policy, we pledge to:

  • Abstain from pursuing or supporting any legal action related to your research;
  • Collaborate with you to comprehend and rectify the issue promptly;
  • Recognize your contributions towards augmenting our security.

In return, we expect security researchers to:

  • Respect individuals’ privacy and refrain from accessing, retrieving, or disseminating any personal data encountered during their research;
  • Avoid actions that could jeopardize the usability, stability, or security of our services, systems, or data;
  • Refrain from testing out-of-scope systems or those containing active patient data;
  • Understand that breaching this policy will invalidate the Safe Harbor. In such instances, Get Well reserves the right to exercise all legal options available;
  • Refrain from leveraging the vulnerability disclosure process to market services or products from security companies intending to collaborate with Get Well.

Official Communication Channels

Please send all vulnerability submissions to [email protected]. Our GPG short key is 257D876F  or fingerprint: 8771718F3BC782E15E0874C113268702257D876F for sensitive communication. Please provide comprehensive information to expedite our understanding and rectification of the vulnerability.

Disclosure Policy

We strongly believe in the principle of responsible disclosure of vulnerabilities. Please give us adequate time to address the vulnerability before publicizing any information. We will notify you when the vulnerability is rectified, after which you are free to disclose it.

Safe Harbor

To foster an open and welcoming environment, we pledge to view your research on our systems and physical properties, conducted within this policy’s scope, as legal and contributory to our mission. Contingent upon your compliance with this policy and applicable laws, you will not be prosecuted for your findings, and we will refrain from legal action against you.

Compensation

Although we do not offer monetary rewards for vulnerability disclosures, we appreciate the effort and expertise involved in security research. Get Well will acknowledge researchers adhering to this policy and disclosing vulnerabilities responsibly on our https://getwellnetwork.com/researcherswalloffame page. Please note, however, that participation in our vulnerability disclosure program does not guarantee compensation, monetary reward, or the use of the researcher’s commercial services and or their affiliates.

Review and Approval

Please be aware that this policy is subject to change. Get Well reserves the right to amend, supplement, or discontinue this policy at any time. Continued security research on your part constitutes acceptance of any changes to this policy.

This policy does not grant permission to act in a manner inconsistent with the law or to disrupt, compromise, or alter any data not owned by you. Please maintain a responsible and respectful approach to your research activities.

The Vulnerability Disclosure Policy is reviewed by Get Well at least annually or when there are significant changes in the environment. Maintenance of this policy incorporates the Plan, Do, Check, Act (PCDA) cycle for continuous improvement. When information is obtained that could improve this policy or any shortcomings are discovered, the program is updated. This policy is protected, controlled, and retained in accordance with federal, state, and organizational requirements.

The Vulnerability Disclosure Policy is supported by additional policies, standards, guidelines, procedures, and processes.