Responsible Disclosure Policy

Introduction

We would like to express our sincere thanks for your submission of a potential security vulnerability in our systems. Your efforts in contributing to a more secure digital environment are highly valued by our team here at Doctena.
At Doctena, we take the security of our systems seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

  • We require that all researchers: Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent access, or use the exploit for any nefarious purposes.
  • Provide us with a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Follow the laws applicable in their location and the location of Doctena.

Scope

Our responsible disclosure policy applies to the following types of security vulnerabilities:

  • Authentication Bypass
  • Autorisation Bypass
  • Insecure direct object references (IDOR)
  • Business logic flaws Injections (SQLi)
  • Remote code execution (RCE)
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • CORS with real security impact
  • Personal Data Leakage
  • Secret Data Leakage

Reporting a Vulnerability

We accept vulnerability reports using the following form:

Reports should include:

  • Detailed description of the issue and potential impact
  • Steps to reproduce the issue (ideally using a video)
  • Proof of concept
  • Your assessment of the vulnerability’s severity, including CVSS score if possible.

Rewards

Our rewards for eligible vulnerabilities are based on severity, which we will determine based on the information you provide and our assessment. The reward applies only to the first reporter of a vulnerability and duplicate reports will not be rewarded.

We aim to respond to all security reports within 30 days. In some exceptional cases, it may take up to 90 days for you to receive a detailed response and any corresponding reward. This timeline allows us to ensure a thorough investigation and resolution of more complex issues. We appreciate your patience and understanding in this matter. Please note that rewards are granted only when vulnerability reporting complies with this Responsible Disclosure Policy.

In the interim, we kindly request that you maintain the confidentiality of the details of the reported vulnerability. This precautionary measure is vital to prevent potential misuse and provides us with adequate time to implement necessary fixes.

Exclusions

While we encourage any submissions that describe security vulnerabilities in our services, the following types of submissions are excluded from eligibility:

  • Anything that has already been reported or identified, for which we will show proof if you send in a duplicate.
  • Any hypothetical flaw or best practice without exploitable proof of concept/possibility to exploit.
  • Reports of missing “best practices” or other guidelines which do not indicate a real security vulnerability/possibility to exploit.
  • Security issues in third-party applications, services, or dependencies that integrate with Doctena products or infrastructure that do not have a demonstrable proof of concept for actual exploitation (e.g. libraries, SaaS services)
  • Denial of service attacks
  • Clickjacking

Legal

By participating in Doctena’s bug bounty program, you acknowledge that you have read and agreed to our policy. As long as your research complies with this policy, we won’t initiate legal action against you in relation to your research.

Acknowledgements

We recognise the importance of the security community and appreciate your interest in helping us keep Doctena safe for everyone.
and we want to express our gratitude for your contribution. Your diligence in discovering and reporting this potential vulnerability underscores a level of professionalism and commitment to the security community that we deeply respect.