Security Policy

Reporting security concerns to HealthUnlocked

If you have found a vulnerability within the HealthUnlocked platform please contact us at security@healthunlocked.com.

When disclosing a vulnerability we ask that you:

  • Let us know as soon as possible.
  • Test against accounts you have created rather than those of real users.
  • Provide information that allows us to fix the vulnerability before disclosing it to others. HTTP request/response captures or packet captures are very helpful.
  • Work together with us to fix it where possible

HealthUnlocked do not operate a bug bounty scheme with cash rewards, but we are happy to recognise the time and efforts of security researchers in our Security Hall of Fame, below. Researchers who have responsibly disclosed vulnerabilities and worked with us to resolve them will also receive some HealthUnlocked swag as a small token of our appreciation. Vulnerability reports will always be acknowledged, however we are a small team so we would appreciate your patience following your report submission.

Please be aware that we are not looking for any of the following:

  • Cross-site scripting (XSS) vulnerabilities unless you can show it causing a pop up alert in the browser, and that it is exploitable by someone other than the user. Ideally, show the user's authentication cookie.
  • Cross-site request forgery (CSRF) vulnerabilities that do not demonstrate the third party causing the logged in victim to perform an action.
  • Vulnerabilities in third party services, e.g. wordpress.com
  • Generic vulnerability scanner reports.

Security researcher hall of fame

Individuals who have responsibly disclosed vulnerabilities and worked with us to resolve them will be listed below, including any professional websites.

Thank you for taking the time and effort to responsibly disclose this information to HealthUnlocked.