Vulnerability Disclosure Policy
1. Purpose
Security of our systems is a top priority, and we take pride in our efforts to secure our systems, applications, and importantly, patient and customer data. Despite our efforts, no software or system is ever completely bug free and from time to time there may be security issues.
This policy outlines our approach to security vulnerabilities. It will allow security researchers to share their findings with us. This policy will be made available for all internet users on Ellume website.
If you think you have found a potential vulnerability in one of our systems, services or products, please tell us as quickly as possible. We will credit you as the person who discovered the vulnerability unless you prefer us not to.
We will not compensate you for finding potential or confirmed vulnerabilities.
2. Scope
This policy covers any product or service that is owned by Ellume to which you have lawful access. This policy does not cover:
- Clickjacking
- Social engineering
- Phishing
- Denial of service (DoS)
- Physical attacks
- Attempts to modify or destroy data
3. Definitions (including acronyms)
| Term | Definition |
|---|---|
| Clickjacking | Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. |
| Denial of Service (DoS) | Denial of Service (DoS) is a type of attack on a service that disrupts its normal function and prevents other users from accessing it. |
| Phishing | Phishing is a fraudulent attempt to trick you into giving out your private personal, commercial, or financial details. These messages may look real as the hackers might use company logos and branding, and links to authentic looking websites. Phishing messages are common scams that you receive by email, text message, social media or over the phone. |
| Social engineering | Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. |
| Vulnerability | A vulnerability is a weakness in a system or device that can be exploited to allow unauthorized access, elevation of privileges or denial of service. |
4. References
| Identifier | Title |
|---|---|
| D1001765 | Information Security |
| D1001776 | IT Security Policy |
| POL025 | Privacy Policy |
5. How to report a vulnerability?
- To report a vulnerability, send an email to security@ellumehealth.com
- Include enough detail so we can reproduce your steps.
- If you report a vulnerability under this policy, you must keep it confidential.
- Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.
6. Responsible vulnerability disclosure
In general, we follow the practice of responsible vulnerability disclosure:
- We will respond to security findings as a priority.
- We will fix the issue as soon as practicable, depending on the severity of the issue.
- We will keep you informed of our progress.
- We will agree on a date for public disclosure if required.
We promise not to take legal action against anyone who acts in good faith and complies with our responsible disclosure guidelines.
Last Updated: April 15, 2021
D1025853A