Vulnerability Disclosure Program
Vivy welcomes the responsible disclosure of vulnerability reports from anyone
who finds a security issue on our listed domains. We also run a private bug
bounty program which is invite-only at this stage.
Vivy is a health assistant which aims to help our users lead healthier lives.
Vivy does this in a way which connects you with your doctor and insurance
company. As health data is considered extremely sensitive data, Vivy looks
forward to working with the security community to find security
vulnerabilities in order to keep the health data of our users safe, and raise
Vivy’s security to the next level.
Vivy will make a best effort to meet the following response targets for
hackers participating in our program:
- Time to first response (from report submit) - 1 business days
- Time to triage (from report submit) - 1 business days
We’ll try to keep you informed about our progress throughout the process.
- Please provide detailed reports with reproducible steps.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Vivy appreciates all the help it can get to keep the user data safe, and bring
security to the next level. However, please do not:
- Violate any laws
- Socially engineer our employees, customer support team, insurance partners or doctors
- Access, modify, or reveal the account or data of Vivy customers
- Damage or compromise the integrity of our system
- Run a scanning tool against AWS infrastructure
- Open disclosure without the consent of Vivy
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack
scenario/exploitability, and (2) the security impact of the bug. The following
issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Best practice recommendations without a working Proof of Concept
- Missing http security headers without a working Proof of Concept of their absence
- Recently disclosed zero day vulnerabilities
- Headers which disclose server version information
- Issues related to email spoofing
- Absence of CSRF attack without a working Proof of Concept
- Social engineering of our employee, customer support, insurance partner, or doctor
Vivy backend is deployed almost every day, while the iOS and Android version
is released around once a week.
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Thank you for helping keep Vivy and our users safe!
Hall of Fame