Vulnerability disclosure policy

About this policy

The Sonic Healthcare vulnerability disclosure policy gives security researchers a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within an asset of the Sonic Healthcare company and its subsidiaries.

We have endeavoured to keep the security of our systems a priority but understand there may still be vulnerabilities.

As such, we encourage engagement with the security community. This policy allows security researchers to share their findings with us. If you think you have found a potential vulnerability in one of our applications, services or products, please contact us as soon as possible.

Please note, there may not necessarily be compensation for finding potential or confirmed vulnerabilities. Any potential reward will reflect our perceived risk of the disclosed vulnerability.

Scope

This policy covers:

Any product, service or website wholly owned by Sonic Healthcare to which you have lawful access

This policy does not cover:

Duplicate or known vulnerabilities identified by internal processes
Social engineering or phishing
Weak or insecure SSL ciphers and certificates
Denial of service (DoS)
Physical attacks
Attempts to modify or destroy data
Clickjacking

Reporting a vulnerability

To report a vulnerability, please fill out the below form.

Enough detail should be included so that your steps may be reproduced. Only go as far as necessary to demonstrate your proof-of-concept for the vulnerability.

Refrain from active exploitation of the vulnerability. This includes exfiltration or downloading of company data, disclosure of confidential information, and/or disrupting our customers’ experience.

Any vulnerability reported under this policy must be kept confidential. Please do not publicly release your research until we have had the opportunity to finish investigating and fixing or mitigating the vulnerability.

What to expect

We will do our best in opening up a conversation regarding your vulnerability report submission as soon as possible:

by responding to your report within 5 business days
agreeing upon a date for public disclosure
discussing if you want to be credited for discovering the vulnerability and any potential rewards where applicable
keeping you updated on the progress on our end

Vulnerability disclosure form

Name * Please enter your full name

Email *

Contact number (including country code)

How would you like to be referred to below? * Please answer with N/A if you do not wish to be acknowledged below.

Steps to reproduce * Please see above 'Reporting a vulnerability' for instructions on how a vulnerability should be reported. Any vulnerability reported under this policy must be kept confidential.

Attachments Please upload all attachments as a single .zip file no larger than 10MB

reCAPTCHA *

Individuals that have disclosed vulnerabilities to us

Below is a list of names or aliases of people that have identified and disclosed vulnerabilities to us:

Diego Moicano (a.k.a hihackthis)
Anirudha Ram Kurhade
Ignited/4Luv
Mayank Mukhi
Robotshell
Abolfazl Fahimi
Abhith Damodaran
Ronak Nahar