Medendo Responsible Disclosure Policy

At Medendo, the security of our systems and the data of our users is a top priority. We encourage the responsible disclosure of security vulnerabilities to help us ensure the safety and privacy of our users. If you discover a vulnerability, we appreciate your assistance in reporting it to us in a responsible manner.

Scope

This policy applies to vulnerabilities in any service or system owned and operated by Medendo, including but not limited to:

  • Web applications

  • APIs

  • Mobile applications

  • Network infrastructure

Safe Harbor

We will not take legal action against researchers who:

  • Act in good faith and follow the guidelines outlined in this policy.

  • Do not cause harm or service disruption during their testing.

  • Refrain from accessing, modifying, or deleting data.

Your security research must comply with all applicable laws and regulations. You are authorized to test for vulnerabilities in systems covered under this policy, and we will not pursue legal action or report you to law enforcement as long as your actions are aligned with the rules in this policy.

How to Report a Vulnerability

If you identify a security vulnerability, please follow these steps:

1.       Email your findings to security@medendo.com.

2.       Provide a detailed description of the vulnerability, including:

  • Steps to reproduce the vulnerability.

  • Potential impact of the vulnerability.

  • Proof of concept (if available).

  • Any relevant system information (e.g., browser version, operating system).

3.       Please do not disclose the vulnerability to others until we have had a chance to address it.

What We Expect

  • Do not attempt to exploit the vulnerability beyond what is necessary to demonstrate the issue.

  • Avoid actions that may result in data loss or service disruption, such as denial-of-service (DoS) attacks, brute-force attempts, or social engineering.

  • Respect privacy: Do not access, modify, or delete any data you encounter during your testing.

 What You Can Expect

  • We will acknowledge receipt of your report within 72 hours.

  • We will provide regular updates on the status of your report as we work to resolve the issue.

  • We aim to resolve validated vulnerabilities in a timely manner and will notify you when the issue is fixed.

 Recognition and Incentives

While we do not offer a formal bug bounty program at this time, we are happy to publicly recognize individuals who responsibly disclose vulnerabilities. If you would like to be credited, please let us know, and we will list your name on our Security Hall of Fame.

 No Compensation

At this time, we do not offer financial rewards for vulnerability disclosures. However, we greatly value your contribution to the security of our systems and are committed to improving our processes with your help.

 What Not to Do

  • No Disruption: Avoid actions that may interfere with the availability or performance of our services.

  • No Data Access: Do not attempt to access, modify, or delete any confidential or sensitive data.

  • No Social Engineering or Phishing: Refrain from using social engineering techniques (e.g., phishing, impersonation) to gain access to systems.

  • No Public Disclosure: Do not publicly disclose vulnerabilities until we have confirmed a resolution and granted permission.

 Legal Disclaimers

This policy is intended to provide legal protection for researchers who follow the guidelines. However, Medendo reserves the right to update or modify this policy at any time. By submitting a report, you agree to comply with this policy. Any actions outside the scope of this policy or the law may void the protections offered.

 

Thank you for helping us keep Medendo secure!