Responsible disclosure

Folia Health engineers work hard to ensure that our site and users are 100% safe and sound. We greatly respect the work of security experts everywhere and strive to stay up to date with the latest security techniques. But nobody's perfect. Should you encounter a security vulnerability in one of our products, we want to hear from you.

Before submitting a report, please review our guidelines below as to what constitutes a security vulnerability and how we'd like you to go about finding them. Once you've filed a report, we promise to work expeditiously to evaluate and resolve any valid bugs.

We encourage anyone to report security issues to [email protected].

Who can participate in the program?

Anyone who doesn't work for Folia Health or partners of Folia Health who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated.

How should reports be formatted?

We would like you to format your reports like this:

• Name: name   

• Bug type: %bugtype 

• Domain: %domain 

• Severity: %severity 

• URL: %url 

• PoC: %poc                                                                         

Which domains are in scope?

In scope:

• my.foliahealth.com

• Android & iOS applications

Out of scope:

• www.foliahealth.com

What bugs are eligible?

Any typical web security bugs such as:

Cross-site Scripting
Open redirect
Cross-site request forgery
File inclusion
Authentication bypass
Server-side code execution

What bugs are NOT eligible?

Disruptive bugs or bugs with no/low impact or likelihood such as:

Missing Cookie flags on non-session cookies or 3rd party cookies Logout CSRF
Social engineering
Denial of service
Weak TLS ciphers
Email spoofing, SPF, DMARC & DKIM
Brute force attacks
Password policy improvements
Hardening tips (such as missing CSP header or SRI attribute)

Other guidelines

• You must demonstrate a vulnerability with proof/evidence. When hunting for bugs and when providing evidence, please only use your own accounts. Do not use or access other people’s data or accounts at any time.

• You must be the “first reporter.” Please understand that we have an active security team that does regular internal testing and contracts out for pentests often. As such, we often find and fix issues on our own. If our internal security team or our pentesters or our developers happen to find the same issue before you find it, they will count as the “first reporter” and your report will be considered a duplicate.

• The underlying issue must be unique, ie. multiple vulnerabilities caused by one underlying issue is recognized as one issue. Also, it is our policy that we do not provide rewards or bounties for submissions.

• Your report must be in scope. Please look over the scope table at the end of this policy before submitting a report. We want to help reduce your risk of submitting an out-of-scope report that could hurt your Signal, as well as reduce noise in our inbox.

• Please don't perform research that could impact other users. Secondly, please keep the reports concise. If we fail to understand the logic of your bug, we will tell you.

Restrictions

• Folia Health reserves the right to approve or deny any request for disclosure for any reason and at our sole discretion.

• Only Resolved reports requested by the original reporter are eligible for disclosure. All other reports (Informative, NA, Spam) are not eligible for disclosure of any kind

• Duplicate reports are not eligible for disclosure. Only the original reporter is eligible for disclosure

• Should a researcher break any disclosure or program policies, that researcher shall no longer be protected under our Responsible Disclosure program and will be subject to legal action at our discretion. Furthermore, failure to comply with these rules may result in a program ban for all company properties.