Reporting Vulnerabilities in Security or Privacy

Help us enhance the security and privacy of our products by reporting any vulnerabilities you discover.

Introduction

We at Sword Health value the security of our systems and data, and we understand the importance of the community in helping us maintain a high standard of safety. If you have discovered a security vulnerability within our systems, we appreciate your help in disclosing it to us in a responsible manner.

This page outlines our responsible disclosure policy and provides guidelines on how to report any security vulnerabilities you may come across.

Reporting a Vulnerability

If you have identified a potential security issue, we kindly request that you:

  1. Email us at securityreports@swordhealth.com with the details of the vulnerability. Please use the following format for your report:
  • Title: A brief, concise summary of the issue.
  • Details: A detailed description of the vulnerability. Include the steps to reproduce the issue, as well as any potential impacts. The more detail you can provide, the better.
  • Environment: Information about where and when you discovered the issue. Include the system, software versions, configurations, and any other relevant details.
  • Proof of Concept: If possible, provide a proof of concept. This could be in the form of a code snippet, a screenshot, or a video demonstrating the vulnerability.
  1. Do not disclose the issue to others until we've had a chance to address it. This is to ensure that the issue does not become widely known before a fix is in place, potentially causing harm to our users or systems.
  2. Do not engage in activities that could potentially harm the usability of our services or the privacy of our users. This includes, but is not limited to, accessing, downloading, altering, or deleting data.

Scope of the program

We appreciate the time and effort put in by security researchers when investigating and reporting vulnerabilities. For effective collaboration, we have defined what is in-scope and out of scope for our Responsible Disclosure Policy.

In-Scope: All websites, API endpoints and any other web resources under swordhealth.com, hibloom.com or any of their subdomains. We appreciate reports on any vulnerabilities that could potentially harm the integrity, availability, or confidentiality of our systems or data.

Out-of-Scope: The following are considered out of scope for our program:

  • Third-party websites or services that we link to
  • Issues related to software or protocols not under our control
  • Any physical attempts against our property or data centers
  • Social engineering attacks (e.g., phishing, vishing)
  • Denial of Service (DoS) attacks
  • Spam or issues related to email deliverability
  • Vulnerabilities affecting users of outdated or unpatched browsers and platforms

This is not an exhaustive list. If you are unsure whether something is in-scope or out-of-scope, please contact us at securityreports@swordhealth.com. We reserve the right to alter the scope of our program and to make exceptions to these guidelines on a case-by-case basis. We ask that you respect these guidelines, and thank you for your help in keeping Sword Health safe and secure.

Our Commitment

Once we receive your report, we commit to:

  • Acknowledging receipt of your report within three business days.
  • Investigating the issue and working to understand its impact and severity.
  • Keeping you informed about our progress in resolving the issue.
  • Addressing the issue in a timely manner, and if necessary, informing relevant parties and the public about the issue and our response.

Recognition

While we do not offer a monetary reward for vulnerability disclosures, we understand and appreciate the effort that goes into security research. As a token of our gratitude, we would be happy to include your name in our "Hall of Fame" on our website. This is entirely optional and at your discretion.

Conclusion

We thank you for your assistance in helping us maintain the safety and integrity of our systems. Your commitment to responsible disclosure reflects the strength and value of the security community, and we appreciate your effort and dedication. Please note that this policy is subject to change without prior notice. It's recommended to check back often for updates.

Thank you for helping us make Sword Health safer for everyone. Make sure that you include the information covered above. If your report doesn't include enough information to allow us to reproduce the issue, we may not be able to accept your report.

Portugal 2020Norte 2020European UnionPlano de Recuperação e ResiliênciaRepública PortuguesaNext Generation EU