Responsible Disclosure Policy
1. General
1.1 Introduction
This Policy supports the corporate goals of Smile CDR, dba Smile Digital Health, and is intended to provide staff, partners, the open source community and clients with clear information on the information security practices and objectives.
Information management is an essential part of good IT governance, which in turn is a cornerstone in corporate governance. An integral part of the IT governance is information security, in particular pertaining to personal information.
Smile Digital Health is committed to taking a proactive approach to security in all of its offerings (including HAPI FHIR) and as such will provide the necessary resources to protect all its assets appropriately.
The policies, standards, and processes that support the Information Security Policy will be developed and maintained to ensure the contractual obligations, legislative requirements and adhere to best practices. Wherever possible the ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, and HITRUST v11.2 standards will be incorporated.
1.2 Scope
This policy is intended for all staff, clients, OSS contributors, the general public and entities acting on behalf of Smile Digital Health.
The following are outside the scope of this policy:
-
Denial of Service attacks
-
Physical testing
-
Social engineering, or other methods to trick or deceive end users or staff
1.3. Review of Information Security Policy
All policies, including this Policy must be reviewed at least annually by the Chief Privacy and Security Officer.
The review date must be documented and signed off by the Chief Privacy and Security Officer.
All revisions must follow the Smile Digital Health policy review process and all major revisions must have the approval of the Chief Executive Officer.
1.4 Confidentiality
The information presented in this policy is considered Public as it is indeed to be shared for external users and stakeholders.
2. Policy
2.1 General
At Smile Digital Health, we appreciate and welcome security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us. In support, we have established this Responsible Disclosure Policy. We will review this policy at least yearly and make any necessary updates to reflect best practices or lessons learned.
2.2 Support for Security Researchers
We appreciate groups and individuals that assist us to rectify vulnerabilities to ensure the least amount of impact and risk to our HAPI FHIR community and our clients. We hereby explicitly request your assistance in the troubleshooting/remediation of those gaps and that you share your proposed resolution.
We will not pursue legal action, nor initiate a complaint to law enforcement, against the finder/researcher operating in good faith. However, Smile Digital Health reserves all legal rights in the event of noncompliance with the guidelines below.
2.2.1 Rewards
Smile Digital Health does not offer a “bug bounty” program; as such, we extend no offer of compensation or public recognition for submittal of potential vulnerabilities.
2.3 Guidelines
We ask security researchers submitting the discovery of vulnerabilities to:
-
Please be respectful of our company, and the applications and services we provide. It is our intention to provide the most secure solutions possible and we try to do our best in meeting that goal. As such our applications and services are complex, and vulnerabilities may at times appear.
-
Please do not access or modify our data.
-
Please contact us immediately if you determine that any sensitive data has been exposed. Take care not to alter, view, share, store, transfer, or disrupt the data that you may have encountered.
-
If you encounter any personal or financial information, please cease any discovery activities and contact us immediately.
-
Please do not generate any artificial or fraudulent requests or transactions to our services.
-
Do not perform any activities that may break the law in the country that you reside or where Smile Digital Health assets reside.
-
Please contact us first before opening any CVE reports to confirm the findings.
-
Please share all relevant findings in your discovery.
2.3.1 Contact Information
You can contact us via security@smiledigitalhealth.com address. We will provide an acknowledgement of the message within two business days.
2.3.2 Information Requested
When submitting a vulnerability to Smile Digital Health please provide if possible:
-
your contact name, email address, associated group or company, and your title
-
in case a CVE is published, if you would like to be credited for the finding and what information should appear
-
details of the vulnerability including:
-
a summary of the issues
-
the details of the vulnerability and the tools used
-
the CWE category if known
-
if applicable, steps that can be taken to reproduce it
-
any URL or other resource references related to the vulnerability
-
the product name and version if known
-
2.3.3 Investigation
Smile Digital Health will attempt to verify any reported vulnerabilities as soon as possible, and usually within one week.
2.3.4 CVE Reporting
Smile Digital Health believes that transparent disclosure of vulnerabilities is the best approach. As a CVE Numbering Authority (CNA), Smile Digital Health is authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records related to all our products and HAPI-FHIR. Therefore:
-
Public disclosure of any vulnerability will be done by Smile Digital Health.
-
Any CVE tickets related to services or products managed by Smile Digital Health will be initiated by Smile Digital Health.
-
The timing of CVE reporting may be dependent on the ability of Smile Digital Health to provide remediation.