Vulnerability Disclosure Program

Vivy welcomes the responsible disclosure of vulnerability reports from anyone who finds a security issue on our listed domains. We also run a private bug bounty program which is invite-only at this stage.

Vivy is a health assistant which aims to help our users lead healthier lives. Vivy does this in a way which connects you with your doctor and insurance company. As health data is considered extremely sensitive data, Vivy looks forward to working with the security community to find security vulnerabilities in order to keep the health data of our users safe, and raise Vivy’s security to the next level.

Program Rules

• Please provide detailed reports with reproducible steps.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Vivy appreciates all the help it can get to keep the user data safe, and bring security to the next level. However, please do not:

• Violate any laws

• Socially engineer our employees, customer support team, insurance partners or doctors

• Access, modify, or reveal the account or data of Vivy customers

• Damage or compromise the integrity of our system

• Open disclosure without the consent of Vivy

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.

• Unauthenticated/logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Best practice recommendations without a working Proof of Concept

• Missing http security headers without a working Proof of Concept of their absence

• Recently disclosed zero day vulnerabilities

• Headers which disclose server version information

• Issues related to email spoofing

• Absence of CSRF attack without a working Proof of Concept

• Social engineering of our employee, customer support, insurance partner, or doctor

Release Cycle

Vivy backend is deployed almost every day, while the iOS and Android version is released around once a week.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Vivy and our users safe!