Coordinated Vulnerability Disclosure Policy

Introduction

This policy lays out how we interact with and structure an informed dialog with any security researcher who reports potential vulnerabilities and enumerates our intentions, expectations, and intake mechanisms for how to coordinate these interactions.

Program scope

HumanFirst authorizes good-faith research into any of our digital assets, including:

• Our web portal
• Our web infrastructure (hosted on AWS)
• Our GitHub repositories

Additionally, all vulnerabilities that require or are related to the following are out of scope:

• Social engineering
• Physical security

For vulnerabilities in third-party libraries, systems, or code, we will guide researchers to report those to the appropriate parties (directly, or through third parties, like the CERT/CC). If reported to HumanFirst, we may also report the issue through our supply chain and to relevant third parties, because this can improve responsiveness by the software or product supplier.

In addition to reporting violations directly to HumanFirst, potential vulnerabilities associated with any software or product listed in our Atlas catalog should be reported to the software or product supplier directly.

We do not currently pay bounties or maintain a "hall of fame" for vulnerability reports.

HumanFirst supports security researchers acting in good faith!

We believe that well-intentioned security research improves patient safety and overall clinical effectiveness. We do not intend to take legal action against security researchers who appear to be acting in good-faith. We consider research conducted under this policy to be:

• Authorized in view of applicable anti-hacking and anti-circumvention laws; and
• Exempt from conflicting restrictions in documentation governing our in-scope digital assets, as indicated above.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you, to the extent research was conducted in compliance with our policy, we will cooperate to provide this policy and actions you took to provide information under this policy. For the avoidance of doubt, however, we will not be liable for any liability or costs associated with any legal action taken against you by any third party.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.

What we expect from security researchers

We want to encourage vulnerability research, so to avoid any confusion between legitimate research and malicious activity, we ask that you, in good faith:

• Follow the rules and expectations in this policy and any other relevant agreement or policy set forth by HumanFirst;
• Comply with any and all applicable laws;
• Promptly report any potential vulnerability you've discovered;
• Avoid violating others' privacy, disrupting our systems, destroying data, and/or harming user experience;
• Protect the confidentiality of the details of any discovered vulnerabilities;
• If a vulnerability provides unintended access to data:

• Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and
• Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII) (which can include certain product identifiers, as well as more traditional personal information), Protected Health Information (PHI), credit card data, or proprietary or confidential business information (such as trade secrets, intellectual property, and the like);

• Use only our official channels to discuss vulnerability information with us;
• Perform testing only on in-scope digital assets, and respect assets and activities which are out-of-scope;
• Limit interactions to test accounts you own;
• Use accounts only with the explicit permission of the account holder;
• Notify us of any plans or intentions for public disclosure, including timing and methods; and
• Do not engage in extortion.

What you can expect from us

When interacting with us in accordance with this policy, you can expect us to:

• Respond to your submission within 10 days;
• Maintain an open and productive dialog;
• Work with you to understand and validate your report;
• Address validated vulnerabilities in a timely manner;
• Update you on progress, as appropriate; and
• Notify you when we believe we have sufficiently addressed the reported issue.

How to report a vulnerability

To report a potential security vulnerability, send a message to [email protected].
We strongly prefer to use PGP and you can find our PGP key here: PGP Key

Submission preferences and prioritizations

Reports will be most helpful if they:

• Are concise and strictly fact-based;
• Include how the vulnerability was found, the impact, and any remediation suggestions;
• Include proof-of-concept code to help diagnose root causes as quickly as possible;

• Crash dumps and automated tool output are helpful, but if accompanied by code or clearly defined steps toward reproducibility they’re significantly more valuable.

• Videos are acceptable but should be supportive of the proof-of-concept and/or reproducibility steps; we discourage any submission that is only video; and
• Are submitted in English; however, no submission will go unattended.

We encourage all good-faith reports; however, we have no control over third-party products. When appropriate, we will involve third-parties in issues as immediately and as responsibly as possible.

Further references

We developed this policy with the help of individuals from the leading coordinated vulnerability disclosure organizations and other resources, below:

• I Am The Cavalry’s Position on Disclosure.
• The CERT/CC, part of the non-profit Software Engineering Institute (SEI), and their Guide to Coordinated Vulnerability Disclosure.
• CISA, the US government’s incident handling and vulnerability coordination organization.
• The US Food and Drug Administration, regulator for medical devices.
• Bug Crowd and HackerOne, companies that run disclosure programs for other organizations.
• The US Department of Commerce, NTIA template and guidance document for vulnerability disclosure in safety critical systems.
• The ISO/IEC 29147 Standard for Vulnerability Disclosure.
• US Department of Justice Framework for Vulnerability Disclosure for Online Systems.
• Google Vulnerability Disclosure Philosophy.
• Microsoft Coordinated Vulnerability Disclosure policy.

Versioning

2019-10-08

Initial Publication

2019-12-02

Minor changes to verbiage

2020-05-04

Public GPG Key updated

2021-02-25

Public GPG Key updated

2023-08-14

Moved to CVD security URL