Purpose

Roman Health Ventures Inc. (Ro) is a healthcare company that provides its members with an end-to-end healthcare experience, from diagnosis, to delivery of medication, to ongoing care. We take this responsibility seriously and we welcome and appreciate feedback from good faith security researchers who want to help ensure the security of our services and the data of the individuals seeking care through our platform. If you believe you have discovered a security or privacy-related vulnerability in any of our in-scope websites or other assets, we want to hear from you. This policy outlines the steps you should take to report vulnerabilities to us, what you can expect from us after you’ve submitted your report, and what we expect from you throughout your participation in our vulnerability disclosure program.

Our Expectations of You

You must engage in security research responsibly and in good faith. In order to participate in our vulnerability disclosure program you must agree to and follow these requirements:

• Cause no harm. Do not cause harm to our information systems, our members, or others. This includes, without limitation, that you must (1) not compromise the privacy or safety of our members, (2) not destroy our members’ data, (3) not interrupt or degrade the operation of our services, (4) not send unsolicited bulk messages (spam) or unauthorized messages, and (5) not post, transmit, upload, link to, or send any malware.

• Do not access identifiable health information or other personal data. Do not knowingly view, alter, save, store, transfer, download, exfiltrate, or otherwise access any data from any of our assets, including without limitation any data that contain, or may potentially contain, any identifiable health or medical information or any other personal information (as defined under all applicable privacy laws), which data is referred to throughout this policy as “personal data”.

• Immediately report inadvertent personal data access to Ro. We have not structured this vulnerability disclosure program to result in your access to any personal data. You should not access any personal data in connection with your participation in our vulnerability disclosure program. However, if you inadvertently encounter personal data in the course of your good faith research, you must immediately (1) stop your probe, (2) report your findings to us and indicate in your report that the severity level of the vulnerability is “critical”, (3) purge any personal data on your local device after reporting the vulnerability to us, and (4) confirm to us in writing, in a form satisfactory to us, that you have completed such purge. You agree that you will cooperate with our efforts to confirm that you took these steps to remove any personal data from your device and to otherwise protect the personal data that you inadvertently discovered.

• No demands for payment. Do not make any demands for payment, rewards, or other compensation for your participation in our vulnerability disclosure program. Demanding payment in return for not destroying or taking other action towards our information systems or data will result in you being viewed and treated as a threat rather than an authorized participant in our program.

• Comply with applicable law and this policy. Play by the rules by complying with all applicable laws governing your security research, by cooperating with us to protect personal data, and by otherwise following this policy and any other relevant agreements between us and/or you and HackerOne. Only good faith research that conforms to this policy and all other relevant agreements is considered authorized research under this program.

• Limitations on who can submit reports.. You must be eighteen or older to submit a report through our vulnerability disclosure program. This program is also not open to any individual on, or located or ordinarily residing in any country on, any U.S. sanctions lists, including without limitation any list related to debarment, exclusion, or suspension from any federal or state healthcare program..

• Prompt disclosure to Ro. Please report any vulnerability that you’ve discovered promptly, using only the official channels described in our reporting section of this policy. Do not, under any circumstances, discuss with anyone other than Ro your report(s) or any vulnerabilities (even resolved ones) without express written consent from Ro.

• In-scope testing only. Perform testing only on in-scope assets pursuant to our testing guidelines (all as further described below), and respect systems and activities which are out-of-scope.

In Scope Assets

The following Ro web applications and native applications are in scope for reporting:

Web Applications

• *.ro.co

• *.getroman.com

• *.ropharmacy.com

• *.myplenity.com

• *.hellorory.com

• *.modernfertility.com

Native Applications

• Modern Fertility (iOS)

Out of Scope Assets & Vulnerabilities Not Eligible for Submission

Any web application, native application, or other Ro asset not expressly listed above under “Systems in Scope” is excluded from the scope of this program and is not authorized for testing. In addition, the following vulnerabilities are considered out of scope and not eligible for reporting to our vulnerability disclosure program:

• Any known vulnerability that has already been responsibly reported to our vulnerability disclosure program.

• Clickjacking on pages with no sensitive actions.

• Unauthenticated/logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working proof-of-concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.

• Any activity that could lead to the disruption of our service (DoS).

• Any Denial of Service attack against Ro, its affiliates, and their respective services and products.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

• Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.

• Lack of Secure or HTTP only flag on non-sensitive cookies.

• Email configuration issues without a PoC to demonstrate a specific flaw.

• Social engineering of employees, contractors, vendors, service providers, or members of Ro or its affiliates.

• Physical attacks against employees or offices of Ro or its affiliates.

• Any vulnerability obtained through the compromise of an account of a member or employee of Ro or any of its affiliates.

• Vulnerabilities found in third party vendor systems that Ro or its affiliates use, which should be reported directly to the vendor according to their disclosure policy (if any). Only vulnerabilities found in Ro’s or its affiliate’s client-side implementation of a third party vendor’s product or service will be eligible for submission.

• Hardware attacks against any physical products of Ro or its affiliates, including without limitation mail order kits from Ro’s direct and indirect wholly owned subsidiaries.

Instructions for Testing & Submitting a Report

Testing

Help us protect the security and privacy of our information systems and our members by abiding by the following guidelines while engaging in testing activities under this program:

• Limit your amount of access to in-scope assets to the minimum required for effectively demonstrating a proof-of-concept.

• Never submit personal data as part of your submission to the HackerOne portal. Instead, follow the instructions above under the section titled “Immediately report inadvertent personal data access to Ro”.

• Testing that requires authentication must be done from a Ro account associated with your @wearehackerone.com email address. Please create a free account to test potential vulnerabilities.

• Make sure that scanners have a narrow scope set that is limited to only those assets that are in-scope under this policy. Aggressive, overly broad scans are not eligible for submission under this program.

• If you discover a publicly exposed password or key, you should not use the key to test if it is an active key.

• If you discover a successful SQL injection, do not exploit the vulnerability beyond the steps needed to demonstrate your proof-of-concept.

Report Format

Please report all vulnerabilities eligible for submission pursuant to this policy by clicking the “Submit Report” button on our HackerOne portal, located at www.hackerone.com/ro. Please complete all required fields in your report and provide as much detail as possible to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. Please only submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Our Commitments to You

Ro is committed to communicating with you in a timely manner. If your participation in our vulnerability disclosure program meets expectations and otherwise complies with this policy, you can expect us to make a good faith effort to:

• Acknowledge that your report has been received within two business days after it’s submitted.

• Review your report to confirm whether it is complete and complies with this policy within five business days after your report is acknowledged, where possible. We may also work with you to better understand your report if it is complete and in compliance with this policy.

• Strive to keep you informed, as appropriate and permitted under applicable law, about the progress of your report as it is processed.

• Work to remediate vulnerabilities confirmed by Ro in a timely manner, taking into account the severity and complexity of the identified vulnerability.

This Policy Controls

In order to participate in our vulnerability disclosure program you must comply with this policy. Please note that if there is any inconsistency between this policy and any other applicable terms between us or you and HackerOne, including without limitation the HackerOne's Disclosure Guidelines, the terms of this policy will prevail. We may change the terms of this policy at any time in our sole discretion, including without limitation the list of in-scope assets, out-of-scope assets, and vulnerabilities not eligible for submission.