Vulnerability Disclosure Policy
Program Overview
We invite security researchers to help identify vulnerabilities that could impact the confidentiality, integrity, or availability of our systems or customer data. Our goal is to foster a transparent, collaborative, and rewarding process that improves our overall security posture.
Scope of Testing
In Scope
Researchers are encouraged to test the following assets and behaviors:
| Category | Assets / Endpoints | Example Focus Area |
|---|---|---|
Web Applications | Authentication, authorization, session handling, data exposure, business logic | |
Public APIs | https://api.example.com/v1/* | Improper access control, IDORs, injection flaws, insecure endpoints |
Mobile Applications | iOS / Android apps connecting to production APIs | API security, certificate pinning, data leakage, weak local storage |
Public Cloud Services | Any externally accessible AWS/Azure resources | Misconfigured S3 buckets, SSRF, secrets exposure |
Open Source Projects | Repos under github.com/example-org | Dependency injection, unsafe deserialization, token exposure |
Tip: If you're uncertain whether something is in scope, ask before testing.
Out of Scope
Reports will be marked out of scope if they target:
- Social engineering, phishing, or physical security
- Denial of Service (DoS/DDoS, stress tests)
- Automated scanning without prior approval
- Third-party or managed services not owned by us
- Low-impact findings such as:
- Missing SPF/DKIM/DMARC
- Lack of HTTP security headers
- TLS configuration issues (e.g., weak ciphers without exploitability)
- Clickjacking with no sensitive action
- Rate limiting or brute-force attacks on non-sensitive endpoints
- Open redirect without impact
- Self-XSS or post-authenticated reflected XSS
Safe Harbor Policy
We want researchers to test in good faith and without fear of legal repercussions.
1. Authorization:
You are authorized to test systems explicitly listed as in-scope and report vulnerabilities to us.
2. Good Faith Commitment:
Do not access, modify, or destroy data that doesn't belong to you. Stop testing immediately and report if you gain access to sensitive information.
3. No Legal Action:
We will not pursue or support any legal action against individuals who:
- Respect the program rules and scope
- Report vulnerabilities promptly and responsibly
4. Privacy:
Avoid accessing or disclosing personal data. If encountered, stop immediately, notify the company, and include only the minimal details necessary to reproduce the access.
5. Confidentiality:
Do not publicly disclose vulnerabilities without prior written consent and approval.
6. Disclosure Timelines:
We aim to acknowledge valid reports within 3 business days, triage within 10 business days, and provide remediation updates thereafter.
Severity Guidelines
Rewards depend on the severity, impact, and quality of the report. The following are examples of vulnerability types and the likely associated severity.
| Severity | Typical Examples |
|---|---|
Critical | Remote code execution, full data exfiltration, auth bypass, account takeover |
High | Privilege escalation, SQLi, IDOR with sensitive data access, major business logic abuse |
Medium | Stored XSS, SSRF, and CSRF leading to state change, partial data disclosure |
Low | Missing access controls on non-sensitive data, reflected XSS, and information leakage |
Informational | No reward (acknowledged if useful for defense-in-depth improvements) |
Bounty Determination Factors
- Impact: Risk to confidentiality, integrity, availability, or business continuity
- Exploitability: Ease and reliability of exploitation.
- Quality: Clarity, reproducibility, and completeness of the report.
- Duplicates: Only the first valid submission is eligible.
Submission Guidelines
To qualify for a bounty:
- Submit all reports to security@remedymeds.com
- Provide a clear and detailed report:
- Steps to reproduce
- Proof-of-concept (screenshots, requests/responses, or video)
- Suggested mitigation if known
- Do not share your report publicly without prior written authorization from the company.