Skip to main content

Vulnerability disclosure policy

About this policy

The Sonic Healthcare vulnerability disclosure policy gives security researchers a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within an asset of the Sonic Healthcare company and its subsidiaries.


We have endeavoured to keep the security of our systems a priority but understand there may still be vulnerabilities.

As such, we encourage engagement with the security community. This policy allows security researchers to share their findings with us. If you think you have found a potential vulnerability in one of our applications, services or products, please contact us as soon as possible.

Please note, there may not necessarily be compensation for finding potential or confirmed vulnerabilities. Any potential reward will reflect our perceived risk of the disclosed vulnerability.

Scope

This policy covers:

  • Any product, service or website wholly owned by Sonic Healthcare to which you have lawful access

This policy does not cover:

  • Duplicate or known vulnerabilities identified by internal processes
  • Social engineering or phishing
  • Weak or insecure SSL ciphers and certificates
  • Denial of service (DoS)
  • Physical attacks
  • Attempts to modify or destroy data
  • Clickjacking

Reporting a vulnerability

To report a vulnerability, please fill out the below form.

Enough detail should be included so that your steps may be reproduced. Only go as far as necessary to demonstrate your proof-of-concept for the vulnerability.

Refrain from active exploitation of the vulnerability. This includes exfiltration or downloading of company data, disclosure of confidential information, and/or disrupting our customers’ experience. 

Any vulnerability reported under this policy must be kept confidential. Please do not publicly release your research until we have had the opportunity to finish investigating and fixing or mitigating the vulnerability.

What to expect

We will do our best in opening up a conversation regarding your vulnerability report submission as soon as possible:

  • by responding to your report within 5 business days
  • agreeing upon a date for public disclosure
  • discussing if you want to be credited for discovering the vulnerability and any potential rewards where applicable
  • keeping you updated on the progress on our end

Vulnerability disclosure form

Please enter your full name
Please answer with N/A if you do not wish to be acknowledged below.
Please see above 'Reporting a vulnerability' for instructions on how a vulnerability should be reported. Any vulnerability reported under this policy must be kept confidential.
Please upload all attachments as a single .zip file no larger than 10MB

Individuals that have disclosed vulnerabilities to us

Below is a list of names or aliases of people that have identified and disclosed vulnerabilities to us:

  • Diego Moicano (a.k.a hihackthis)
  • Anirudha Ram Kurhade
  • Ignited/4Luv
  • Mayank Mukhi
  • Robotshell
  • Abolfazl Fahimi
  • Abhith Damodaran
  • Ronak Nahar