Vulnerability Disclosure Policy and Submission

Commitment

The Doctors Company is committed to ensuring the security of its customers by protecting their information from unwarranted disclosure. If you discover a potential information security issue, we want to hear about the issues so we can fix it. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. We may modify or terminate this policy at any time.

Safe Harbor

If you make a good faith effort to comply with this policy during your activities, The Doctors Company will consider your activities to be authorized, work with you to understand and resolve the issue quickly, and will not recommend or pursue legal action related to your activities.

The Doctors Company’s Policy/Guidelines

After discovering a real or potential information security issues, notify The Doctors Company as soon as practicable using the online form and providing as much supporting detail as possible.
You only view or store The Doctors Company nonpublic data to the extent necessary to document and/or prove the existence of a potential vulnerability.
You delete any stored The Doctors Company nonpublic data after reporting the vulnerability to The Doctors Company.
You provide valid contact information so we can contact you with any questions.
You do not disclose to anyone, publicly release, or post online any The Doctors Company vulnerability information without prior written permission from The Doctors Company.
You only exploit a vulnerability to the extent necessary to confirm the presence of a vulnerability.
You do not intentionally compromise the privacy or safety of any The Doctors Company personnel, members, or related third parties.
You do not engage in:

Social engineering, pretext calling, unsolicited electronic mail, or phishing attempts of any kind against The Doctors Company employees or contractors.
Denial-of-Service or Resource Exhaustion testing.
Use of malware or other malicious software.
Any testing that may cause damage or degradation to The Doctors Company systems or that may intentionally impair, disrupt, or disable The Doctors Company systems.
Ongoing testing of a vulnerability after reporting to The Doctors Company.

After determining that a vulnerability exists or encountering sensitive data (such as, but not limited to, personally identifying information, protected health information, financial information, proprietary information, or trade secrets), you must stop your activity/test, notify The Doctors Company immediately, and not disclose the data to anyone else.
You do not engage in physical security testing of any facilities or resources.
You do not retain, share, alter, or destroy The Doctors Company data or render The Doctors Company data inaccessible.
You do not test any system other than the systems set for in the “Scope” section below.

Scope

This policy applies to the following systems and services:

Any service not expressly listed above, such as connected services, is excluded from the scope and is not authorized for testing. Testing any other service, even with good intentions, may be considered unauthorized activity. While we support responsible disclosure and value your contributions, actions outside the defined scope could result in legal consequences. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their Vulnerability Disclosure Policy (if any).

Please note that the initial response SLA from The Doctors Company is 1 to 3 business days. This response will just be a confirmation of receipt. The Doctors Company is committed to correcting reported vulnerabilities in a timely manner. However, depending on the nature of your discovery, it may take time to validate and implement corrective actions. Therefore, we require that you refrain from sharing information about discovered vulnerabilities for at least 180 calendar days after your submission and then only with written permission from The Doctors Company. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we request that you coordinate in advance with us.

Once submitted, allow us a reasonable time frame to provide some feedback. Our security team must:

Reproduce and confirm the vulnerability as described in your report.
Establish a severity score according to CVSS 3.1.
Consider the recommendations from your report and build an action plan with relevant teams.
Maintain communication with the reporter until the case is resolved.

Important Notices or Guidelines

This policy is treated as a vulnerability disclosure policy, not a bug bounty. Vulnerability disclosures are generally not paid. Additionally, exploits should not be used for any kind of data compromise.

We kindly ask you to maintain the report and its content confidential until the appropriate corrective measures are released in production and you receive written permission from The Doctors Company to publicly disclose. Please also note that exploiting a reported vulnerability abusively or for illegal, malicious, or other inappropriate purposes may result in legal prosecutions against the reporter, which could lead to civil or criminal liability. An action is considered abusive or inappropriate when its purpose compromises customer-related or internal confidential information in an undue or disproportionate manner, or when such an action has some other aim than the demonstration of a vulnerability.

Use this form to submit a discovered vulnerability.

Vulnerability Category

Other-Please Specify

Description of the issue, including any URLs not mentioned in the steps to reproduce

Steps to reproduce (or a proof-of-concept), including the tools and techniques used

Proposed fix, if possible and applicable

Contact Name

Contact Email

Contact Phone Number

*required field