Vulnerability Disclosure Policy
Policy Overview
This policy is relevant to any potential vulnerabilities you’re considering reporting to Active Healthcare Solutions Ltd, doing business as Relish (hereinafter referred to as the “Company”). This policy is applicable provided that the Company’s website has a security.txt file that refers to this policy. If you think you’ve identified a security vulnerability concerning the Company’s system, we request you to send a vulnerability report to the address mentioned in the CONTACT field of the security.txt file.
Your report should include:
The website, page, or other relevant location where the vulnerability is present.
- A brief description of the vulnerability type.
- Steps to reproduce the vulnerability. This ensures that the report can be addressed quickly and accurately, and it also minimizes the chances of receiving duplicate reports or the malicious exploitation of certain vulnerabilities.
After submitting your report, we aim to respond within 7 working days and to resolve the reported issue within 30 working days. We will notify you when the reported vulnerability has been addressed, and you may be asked to confirm that the solution adequately resolves the vulnerability.
We appreciate the efforts of those who responsibly report security vulnerabilities in accordance with this policy. However, we do not offer financial rewards for such disclosures.
You must NOT:
- Break any applicable laws or regulations.
- Access data that is unnecessary, excessive, or significant.
- Modify data in the Company’s systems or services.
- Use invasive or destructive scanning tools of high intensity to identify vulnerabilities.
- Attempt or report any form of denial of service, such as overwhelming a service with a large volume of requests.
- Disrupt the Company’s services or systems.
- Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully comply with “best practice”, for example, missing security headers.
- Communicate any vulnerabilities or related details through means other than those specified in the security.txt file.
- Engage in social engineering, ‘phishing’, or physical attacks on the Company’s staff or infrastructure.
You must:
- Always comply with data protection rules and must not violate the privacy of any data the Company holds. For example, you must not share, redistribute, or fail to properly secure data retrieved from the systems or services.
- Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
Legal Aspects This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Company or partner organisations to be in breach of any legal obligations.