Responsible Disclosure Policy
1. General
1.1 Introduction
This Responsible Disclosure Policy supports the corporate goals of Smile CDR (the company) and is intended to provide staff, partners, the open source community and clients with clear information on the information security practices and objectives.
Information management is an essential part of good IT governance, which in turn is a cornerstone in corporate governance. An integral part of the IT governance is information security, in particular pertaining to personal information.
The company is committed to taking a proactive approach to security in all of its offerings (including HAPI FHIR) and as such will provide the necessary resources to protect all its assets appropriately.
The policies, standards, and processes that support the Information Security Policy will be developed and maintained to ensure the contractual obligations, legislative requirements and adhere to best practices. Wherever possible the ISO 27001/27002 standards will be incorporated.
1.2 Scope
This policy is intended for all staff, clients, OSS contributors, the general public and entities acting on behalf of Smile CDR.
1.3. Review of Information Security Policy
All policies including the Information Security Policy must be reviewed at least annually by the Chief Privacy and Security Officer.
The review date must be documented and signed off by the Chief Privacy and Security Officer.
All revision must follow the Smile CDR policy review process and have the approval of the Chief Executive Officer.
1.4 Revision History
Revision | Date | Record of Changes | Reviewed By | Approved By |
0.1 | 2021/05/11 | Initial Draft | Luis de Barros & James Agnew | |
1.0 | 2021/05/17 | Removed comments | Luis de Barros | Duncan Weatherston |
1.5 Confidentiality
The information presented in this policy is considered public as it is indeed to be shared for external users and stakeholders.
2. Policy
2.1 General
At Smile CDR , we appreciate and welcome security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us. In support, we have established this Responsible Disclosure Policy. We will review this policy at least yearly and make any necessary updates to reflect best practices or lessons learned.
2.2 Support for Security Researchers
We appreciate groups and individuals that assist us to rectify vulnerabilities to ensure the least amount of impact and risk to our HAPI FHIR community and our clients. We hereby explicitly request your assistance in the troubleshooting/remediation of those gaps and that you share your proposed resolution.
We will not pursue legal action, nor initiate a complaint to law enforcement, against the finder/researcher operating in good faith. However, Smile CDR reserves all legal rights in the event of noncompliance with the guidelines below.
2.2.1 Rewards
Smile CDR does not offer a “bug bounty” program; as such, we extend no offer of compensation or public recognition for submittal of potential vulnerabilities.
2.3 Guidelines
We ask security researchers submitting the discovery of vulnerabilities to:
-
Please be respectful of our company, and the applications and services we provide. It is our intention to provide the most secure solutions possible and we try to do our best in meeting that goal. As such our applications and services are complex, and vulnerabilities may at times appear.
-
Please do not access or modify our data.
-
Please contact us immediately if you determine that any sensitive data has been exposed. Take care not to alter, view, share, store, transfer, or disrupt the data that you may have encountered.
-
If you encounter any personal or financial information, please cease any discovery activities and contact us immediately.
-
Please do not generate any artificial or fraudulent requests or transactions to our services.
-
Do not perform any activities that may break the law in the country that you reside or where Smile CDR assets reside.
-
Please contact us first before opening any CVE reports to confirm the findings.
-
Please share all relevant findings in your discovery.
2.3.1 Contact Information
You can contact us via security@smilecdr.com address. We will provide an acknowledgement of the message within 2 business days.
2.3.2 Information Requested
When submitting a vulnerability to Smile CDR please provide if possible:
-
Your contact name, email address, associated group or company, and your title
-
In case a CVE is published, if you would like to be credited for the finding and what information should appear
-
Details of the vulnerability including:
-
A summary of the issues
-
The details of the vulnerability and the tools used
-
The CWE category if known
-
If applicable, steps that can be taken to reproduce it
-
Any URL or other resource references related to the vulnerability
-
The product name and version if known
-
2.3.3 Investigation
Smile CDR will attempt to verify any reported vulnerabilities as soon as possible, and usually within one week.
2.3.4 CVE Reporting
Smile CDR believes that transparent disclosure of vulnerabilities is the best approach. We ask that:
-
Public disclosure is at the discretion of Smile CDR
-
Any CVE tickets related to services or products managed by Smile CDR will be initiated by Smile CDR itself
-
The timing of CVE reporting is dependent on the ability of Smile CDR to provide remediation.
2.3.5 Not in Scope
The following are outside the scope of this policy:
-
Denial of Service attacks
-
Physical testing
-
Social engineering, or other methods to trick or deceive end users or staff