Radicle_Health_Logo

Radicle Health Responsible Disclosure Program

Rules of Engagement

This Program provides users an opportunity to inform Radicle Health about potential vulnerabilities found in our products or services. However, this Program is not a bug bounty program, and nothing herein shall be construed as any authorization or approval for any parties to conduct security testing or engage in other prohibited activities below.

Specifically, Radicle Health prohibits any:

  • Use of intrusion exploitation tools, including any vulnerability scanners
  • Manipulation
  • Data Exfiltration/Disclosure
  • Service Disruption
  • Scanning or enumeration of any kind
  • Any attempt to gain unauthorized access to Radicle Heath systems or data

Radicle Health will not make any pay outs, provide compensation, give bounties, or distribute any similar compensation, for information that is disclosed in connection with this Program. Radicle Health reserves the right to pursue legal action in the case of unauthorized activities conducted on Radicle Health’s systems or infrastructure.

In the event users identify any vulnerabilities through the following methods:

  • Unintentional Discovery: If you unintentionally discover a security issue, report it immediately without exploiting or investigating further.
  • Use of passive observation: Report any security issues that are visible as an incidental use of Radicle Health’s products/services, without intentional probing or testing.
  • Normal application use: Only report issues that you have come across in the normal course of using Radicle Health’s products/services.

then users are encouraged to notify Radicle Health according to the “Reporting Guidelines“ section below.

Exclusions

The following items will not be regarded as actionable findings by Radicle Health and thus should not be submitted for evaluation:

  • Clickjacking on pages without sensitive actions
  • Missing SPF/DKIM/DMARC records
  • Vulnerabilities in third-party services
  • Missing cookie attributes

Reporting Guidelines

Any vulnerabilities or similar security issues should be sent to the email security@radicle-health.com.This email is a shared inbox monitored by members of the Radicle Health security team.

Reports submitted to the security team should include:

  • A descriptive subject field summarizing the issue
  • A detailed description outlining the issue in depth
  • Location of the issue (URL path, Parameter, Domain Name, Etc.)
  • Detailed steps for reproducing the finding

If the submission does not include all the details required for proper investigation, a request for additional information will be solicited.

Once a submission is received, Radicle Health, at its sole and absolute discretion, may assess and evaluate each report, and determine an appropriate course of action. Radicle Health may inform the reporter that the issue has been verified and will be slated for remediation according to the risk it poses to Radicle Health, its customers, or any individuals.

Acknowledgment of a reported vulnerability by Radicle Health does not constitute permission, authorization, or approval for public disclosure, publication, or any form of dissemination of the information provided.

Radicle Logo - MONO - White-1

www.radicle-health.com