CompuGroup Medical Vulnerability Disclosure Policy

CompuGroup Medical is committed to protecting our clients' confidential information and the security of our systems. We encourage security researchers to contact us to report potential security vulnerabilities identified in CompuGroup Medical products, assets, or systems. Please note this program does not provide monetary rewards and it is for responsible disclosure purposes only. If you believe you have identified a potential security vulnerability, please submit it to us by following our Vulnerability Disclosure Program guidelines described on this page.

• For the protection of our clients, we do not disclose, discuss, or confirm security issues. Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from CompuGroup Medical.
• As a general rule, please follow HackerOne's disclosure guidelines and Code of Conduct, but any terms in this policy will supersede HackerOne terms.
• Any unauthorized public disclosure or sharing of a CompuGroup Medical vulnerability will be considered a violation of this policy.

You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests. If you find a vulnerability, please report it to us with no conditions attached.

This policy is intended to provide security researchers with clear guidance for reporting potential security vulnerabilities by describing: (1) the systems and types of activities that are in scope under this policy and (2) how to submit discovered potential security vulnerabilities. This program does not condone, encourage, or permit any of the following:

• Malicious hacking or otherwise attempting to gain unauthorized access to information, software, or systems.
• Disclosing, sharing, storing, compromising, destroying, or using any proprietary or confidential CompuGroup Medical data, including any customer or consumer data. If such data is encountered, you should immediately halt your activity, purge related data from your system, and promptly contact CompuGroup Medical via the HackerOne portal.
• Activity that violates any laws or regulations, including those of any country where you conduct your vulnerability research activity, where CompuGroup Medical data is routed, or where CompuGroup Medical data or systems reside.
• Compromising the intellectual property or other commercial or financial interests of any CompuGroup Medical personnel or entities, or any third parties.
• Performing any activity that could initiate fraudulent financial transactions
• Performing any activities that could adversely impact CompuGroup Medical, CompuGroup Medical clients, CompuGroup Medical employees, or the operation of CompuGroup Medical software or systems.
• Performing any automated scanning (i.e. Nessus, Qualys, etc.).
• Disclosing information about reported vulnerabilities to any third party without CompuGroup Medical’s prior consent.

We will not bring legal action against anyone who makes a good faith effort to comply with this policy. We also waive on a limited basis any restrictions in our applicable Terms of Service that would prohibit your participation in this policy, for the limited purpose of genuine security research.
CompuGroup Medical does not authorize any testing of third-party products, systems, or applications. If legal action is initiated by a third party against you in connection with activities conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

• It is possible that you may inadvertently encounter sensitive data, including personal information or personal data (as those terms are defined under applicable law), confidential or proprietary business data, or financial information.
• Once you encounter sensitive data, you must immediately cease your activity, delete any data in your control or possession, and report to CompuGroup Medical through the HackerOne form available to you what you have found and how.
• Include in that report only the type of information identified (i.e., do not include the specific data you encountered). Reports that include the specific data you encountered will be closed and no bounty will be paid out.

• Vulnerabilities must only be exploited using unauthenticated methods or through default, self-registered credentials where open enrollment is permitted.
• Researchers cannot purchase services or demonstrations as a means of gaining valid credentials. Credentials that are discovered or otherwise publicized should be submitted as their own vulnerability and should not be used to conduct security research.
• Researchers cannot solicit and/or purchase credentials from other valid credential holders, especially CompuGroup Medical customers and clients.

If you have found a potential, in-scope vulnerability on any product, system, or asset you believe belongs to CompuGroup Medical, please submit it through this program as we would like to hear about it.

Use of security testing methodologies that may disrupt, degrade, or impair CompuGroup Medical systems is prohibited as part of our Vulnerability Disclosure Program. CompuGroup Medical reserves all its rights in these instances. Those out-of-scope methods include, but are not limited to:

• Any activity or test that could lead to a Denial of Service (DoS) attack or disrupt service to CompuGroup Medical users or employees (e.g., Distributed Denial of Service, DNS Spoofing, Buffer Overflow, etc.)
• Social engineering (e.g., phishing, vishing, smishing, etc.)
• Rate limiting or brute force issues on non-authentication endpoints
• Automated scanning attacks are not permitted (i.e., Nessus, Qualys, etc.), however, the use of Burp Suite and other manual testing tools are allowed
• Attacks requiring Man-in-the-Middle (MITM) or physical access to a user's device
• Activity involving out-of-scope domains, including domains registered to CompuGroup Medical or a CompuGroup Medical subsidiary but hosted by a third party Certain vulnerabilities are considered out-of-scope for our Vulnerability Disclosure Program. Out-of-scope vulnerabilities include:
• Denial of service (DoS) attacks.
• Rate limiting or brute-force issues on non-authentication endpoints.
• Attacks requiring MITM or physical access to a user's device.
• Open redirect – unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction.
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Clickjacking on pages with no sensitive actions.
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
• Previously known vulnerable libraries without a working Proof of Concept.
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
• Missing best practices in TLS configuration.
• Missing best practices in Content Security Policy or other HTTP response headers.
• Missing HttpOnly or Secure flags on cookies on non-session cookies. # Responsiveness CompuGroup Medical will make a best effort to acknowledge receipt of vulnerability reports within 3 business days and to keep you reasonably informed of the status of any validated vulnerability that you report through this program.

If you believe you have identified a potential security vulnerability, please submit it to us by following our Vulnerability Disclosure Program guidelines described on this page.

• For the protection of our clients, we do not disclose, discuss, or confirm security issues. Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from CompuGroup Medical.
• As a general rule, please follow HackerOne's disclosure guidelines and Code of Conduct, but any terms in this policy will supersede HackerOne terms.
• Any unauthorized public disclosure or sharing of a CompuGroup Medical vulnerability will be considered a violation of this policy.
• You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests. If you find a vulnerability, please report it to us with no conditions attached.

CompuGroup Medical partners with HackerOne to receive responsibly submitted vulnerability reports. As detailed in the HackerOne submission requirements, when reporting a potential vulnerability, please include the following:

• A detailed summary of the vulnerability
• The target where the vulnerability was found
• Detailed steps to reproduce the issue (you can record a demo proof-of-concept and submit it through the submission form)
• Tools used or required
• Artifacts used during discovery (include screen captures when applicable). Please ensure your report meets all requirements outlined by the HackerOne Vulnerability Disclosure Guidelines. Reports must be submitted through the hackerone embbeded form below

CompuGroup Medical conducts its own scanning and internal vulnerability identification activities. In order to minimize confusion between your traffic and legitimate threats, please use the following header for your requests to allow us to identify your traffic:

• X-HackerOne-Research: <YOUR-USERNAME>

CompuGroup Medical will make a best effort to acknowledge receipt of vulnerability reports within 3 business days and to keep you reasonably informed of the status of any validated vulnerability that you report through this program.

• You must comply with applicable federal, state, and local laws as you conduct your security research activities and as you participate in this program, CompuGroup Medical’s safe harbor provisions notwithstanding.
• By participating in this program, you agree that you will not do the following without the express written consent of CompuGroup Medical, its affiliates, or its subsidiaries:
  • Use CompuGroup Medical’s or any of its affiliates’ or subsidiaries’ trade name, trademark, service mark, symbol, abbreviation, contraction, or simulation thereof; or
  • represent that CompuGroup Medical or any of its affiliates or subsidiaries has endorsed the service or work you provided.
• By participating in this program, you agree that any and all information accessed by you is confidential and you shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of such information to third parties or use such information outside of the scope of this program.
• By participating in this program, you agree that you have no rights, title, or ownership to any of the information or data you may come into contact with.
• By participating in this program, you understand that CompuGroup Medical may in its sole discretion alter any part of this policy at any time.
• By submitting a report through this program, you consent your information being transferred to and stored by CompuGroup Medical or its affiliates or subsidiaries in the European Union.
• Your testing must not cause any disruption to or compromise any data that you do not own.
• Nothing in this policy should be construed as creating a partnership, joint venture, employment, or agency relationship between you and CompuGroup Medical. By participating in this program, you agree that you do not have authority to make any representations or create any obligations on CompuGroup Medical’s behalf.