Vulnerability disclosure policy
About this policy
The Sonic Healthcare vulnerability disclosure policy gives security researchers a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within an asset of the Sonic Healthcare company and its subsidiaries.
We have endeavoured to keep the security of our systems a priority but understand there may still be vulnerabilities.
As such, we encourage engagement with the security community. This policy allows security researchers to share their findings with us. If you think you have found a potential vulnerability in one of our applications, services or products, please contact us as soon as possible.
Please note, there may not necessarily be compensation for finding potential or confirmed vulnerabilities. Any potential reward will reflect our perceived risk of the disclosed vulnerability.
Scope
This policy covers:
- Any product, service or website wholly owned by Sonic Healthcare to which you have lawful access
This policy does not cover:
- Duplicate or known vulnerabilities identified by internal processes
- Social engineering or phishing
- Weak or insecure SSL ciphers and certificates
- Denial of service (DoS)
- Physical attacks
- Attempts to modify or destroy data
- Clickjacking
Reporting a vulnerability
To report a vulnerability, please fill out the below form.
Enough detail should be included so that your steps may be reproduced. Only go as far as necessary to demonstrate your proof-of-concept for the vulnerability.
Refrain from active exploitation of the vulnerability. This includes exfiltration or downloading of company data, disclosure of confidential information, and/or disrupting our customers’ experience.
Any vulnerability reported under this policy must be kept confidential. Please do not publicly release your research until we have had the opportunity to finish investigating and fixing or mitigating the vulnerability.
What to expect
We will do our best in opening up a conversation regarding your vulnerability report submission as soon as possible:
- by responding to your report within 5 business days
- agreeing upon a date for public disclosure
- discussing if you want to be credited for discovering the vulnerability and any potential rewards where applicable
- keeping you updated on the progress on our end
Individuals that have disclosed vulnerabilities to us
Below is a list of names or aliases of people that have identified and disclosed vulnerabilities to us:
- Diego Moicano (a.k.a hihackthis)
- Anirudha Ram Kurhade
- Ignited/4Luv
- Mayank Mukhi
- Robotshell
- Abolfazl Fahimi