Report a security issue
We take security seriously and are committed to supporting responsible disclosure of any issues you may uncover. If you are a security expert or researcher, we appreciate your efforts to keep our customers safe. We ask that you give our team a chance to research and address a vulnerability before disclosing it publicly.
How to Report an Issue
Please send details of the issue to email@example.com. If you'd like to encrypt your message, please use our PGP public key. We will respond within one business day and assign a point of contact to follow up on the issue.
Please include a detailed summary of the issue and steps on how to reproduce it.
Wellthy is committed to working with security researchers to help identify and fix vulnerabilities in our systems and services. As long as you act in good faith and abide by the guidelines outlined in this policy, we will make our best effort to commit to the following:
- Provide an initial response to your vulnerability report within one business day.
- Determine if we will accept (intend to fix) or reject (identify your report as a false positive or acceptable risk) your vulnerability report within ten business days.
- Keep you up to date on progress towards remediation of reports we accept from you.
As you research issues, please adhere to the below guidelines:
- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Wellthy services.
- Do not attempt to access or modify another user’s account or data. Do not otherwise interfere with any other users' accounts.
- Do not expose any data belonging to other users.
- Do not attempt to target Wellthy employees or its customers, including social engineering attacks, phishing attacks or physical attacks.
- Do not perform physical attacks against any Wellthy facility.
- Do not interrupt or degrade our services. Do not attempt to perform brute-force attacks or denial-of-service attacks.
- Do not threaten or try to extort Wellthy. Do not act in bad faith and make ransom requests. You should simply report the vulnerability to us.
- Non-production versions of the site (i.e. demo or staging instances) are not within scope of this policy.
- Please make sure to use the User-Agent string wellthyvrpresearcher_yourwellthyusername while testing.
- Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.
NOTE: If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.
This policy applies to the following systems and services:
If you find any issues with the following systems and services please report them to their respective vendor:
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at firstname.lastname@example.org before starting your research.
We respect the effort and skill that goes into finding and disclosing security issues. We credit researchers based on the value of the contribution. On a monthly basis, we will review submissions and update the below list. Credit will not be given for items which were first reported by another researcher. Wellthy retains the right to modify or discontinue this program at any time.
We would like to thank the following people:
- Pethuraj M
- Rizwan Ahmed
- Mohammed Abdul Raheem
- Mohd Aqeel Ahmed
- Yeasir Arafat
- Shivram Chouhan
- Pace Hitech
- Zeel Chavda
- Athul Jayaram
- Maulik Vaidh
- Sadik Shaikh
- Shwetabh Suman
- Abin Joseph
- Guhan Raja.L (Havoc)
- Shivam Kamboj Dattana
- Aagam Shah
- Kirtikumar Anandrao Ramchandani
- Omur Ugur
- Oumeir Saifedeen
- Sheikh Rishad