1. General

 

1.1 Introduction

This Responsible Disclosure Policy supports the corporate goals of Smile CDR Inc. (doing business as Smile Digital Health) and is intended to provide staff, partners, the open source community and clients with clear information on the information security practices and objectives.

 

Information management is an essential part of good IT governance, which in turn is a cornerstone in corporate governance. An integral part of the IT governance is information security, in particular pertaining to personal information. 

 

The company is committed to taking a proactive approach to security in all of its offerings (including HAPI FHIR) and as such will provide the necessary resources to protect all its assets appropriately.

 

The policies, standards, and processes that support the Information Security Policy will be developed and maintained to ensure the contractual obligations, legislative requirements and adhere to best practices. Wherever possible the ISO 27001/27002 standards will be incorporated.

 

1.2 Scope

This policy is intended for all staff, clients, OSS contributors, the general public and entities acting on behalf of Smile.

 

1.3. Review of Information Security Policy

All policies including the Information Security Policy must be reviewed at least annually by the Chief Privacy and Security Officer.

 

The review date must be documented and signed off by the Chief Privacy and Security Officer.

 

All revision must follow the Smile policy review process and have the approval of the Chief Executive Officer.

 

1.4 Revision History

Revision Date Record of Changes Reviewed By Approved By
0.1 2021/05/11 Initial Draft Luis de Barros & James Agnew  
1.0 2021/05/17 Removed comments Luis de Barros Duncan Weatherston
1.1 2022/05/12 Policy Review Danielle Pleasant Duncan Weatherston

 

1.5 Confidentiality

The information presented in this policy is considered public as it is indeed to be shared for external users and stakeholders.

 

 

2. Policy

 

2.1 General 

At Smile, we appreciate and welcome security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us. In support, we have established this Responsible Disclosure Policy. We will review this policy at least yearly and make any necessary updates to reflect best practices or lessons learned.

 

2.2 Support for Security Researchers

We appreciate groups and individuals that assist us to rectify vulnerabilities to ensure the least amount of impact and risk to our HAPI FHIR community and our clients. We hereby explicitly request your assistance in the troubleshooting/remediation of those gaps and that you share your proposed resolution.

 

We will not pursue legal action, nor initiate a complaint to law enforcement, against the finder/researcher operating in good faith. However, Smile reserves all legal rights in the event of noncompliance with the guidelines below.

 

2.2.1 Rewards

Smile does not offer a “bug bounty” program; as such, we extend no offer of compensation or public recognition for submittal of potential vulnerabilities.

 

2.3 Guidelines

We ask security researchers submitting the discovery of vulnerabilities to:

  • Please be respectful of our company, and the applications and services we provide. It is our intention to provide the most secure solutions possible and we try to do our best in meeting that goal. As such our applications and services are complex, and vulnerabilities may at times appear.

  • Please do not access or modify our data.

  • Please contact us immediately if you determine that any sensitive data has been exposed. Take care not to alter, view, share, store, transfer, or disrupt the data that you may have encountered.

  • If you encounter any personal or financial information, please cease any discovery activities and contact us immediately.

  • Please do not generate any artificial or fraudulent requests or transactions to our services.

  • Do not perform any activities that may break the law in the country that you reside or where Smile assets reside.

  • Please contact us first before opening any CVE reports to confirm the findings.

  • Please share all relevant findings in your discovery.

 

2.3.1 Contact Information

You can contact us via security@smilecdr.com address. We will provide an acknowledgement of the message within 2 business days.

 

2.3.2 Information Requested

When submitting a vulnerability to Smile CDR please provide if possible:

  • Your contact name, email address, associated group or company, and your title

  • In case a CVE is published, if you would like to be credited for the finding and what information should appear

  • Details of the vulnerability including:

    • A summary of the issues

    • The details of the vulnerability and the tools used

    • The CWE category if known

    • If applicable, steps that can be taken to reproduce it

    • Any URL or other resource references related to the vulnerability

    • The product name and version if known

 

2.3.3 Investigation

Smile will attempt to verify any reported vulnerabilities as soon as possible, and usually within one week.

 

2.3.4 CVE Reporting

Smile believes that transparent disclosure of vulnerabilities is the best approach. We ask that:

  • Public disclosure is at the discretion of Smile

  • Any CVE tickets related to services or products managed by Smile will be initiated by Smile itself

  • The timing of CVE reporting is dependent on the ability of Smile to provide remediation.

 

2.3.5 Not in Scope

The following are outside the scope of this policy:

  • Denial of Service attacks

  • Physical testing

  • Social engineering, or other methods to trick or deceive end users or staff