Docon delivers digital healthcare for everyone by providing access to appointments, prescription and tele consultation with doctors. Doctors leverage our best in class practice management app to ease practice, patient & prescription management. Docon is committed to maintaining the security and integrity of our products. We value the privacy of our customers, doctors and partners and understand the importance of critical Healthcare data. We strive to safeguard our websites, mobile applications as well as internal systems and welcome vulnerability reports that can help further enhance the security, integrity and privacy of our systems. We take each and every vulnerability disclosure seriously and are committed to creating a safe & transparent environment to report vulnerabilities.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and Docon will not initiate or recommend legal action related to your research.

• Reporters submitting a Vulnerability to Docon agree to be bound by the terms of this policy.
• We explicitly specify what is in scope and out of scope when discovering vulnerabilities and clearly mention the same in the sections below.
• Reporters should make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Reporters should only use/exploit to the extent necessary to confirm a vulnerability.
• Reporters should not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems.
• Once a reporter establishes that a vulnerability exists, or encounters any sensitive data, the reporter should stop any further testing and notify us immediately.
• Reporters shall keep any information about discovered vulnerabilities confidential after submitting the vulnerability report.
• We discourage violation of any applicable laws and breach of any agreements in order to discover vulnerabilities.
• Docon reserves the right to pursue legal action when the terms of this policy is violated or when testing is performed outside the scope of this policy.
• Docon may include an NDA and also make updates to this policy from time to time.
• The decision made by our security team regarding validity, severity & impact of a vulnerability will be considered final and cannot be contested.
• We may share your vulnerability reports with any affected partners, vendors or open source projects.

Web properties owned by Docon, specifically

• https://docon.co.in/

‍

If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately

• Personally identifiable information
• Financial information (e.g., credit card or bank account numbers)
• Proprietary information or trade secrets of companies, partners or vendors.
• If the identified vulnerability can be used to potentially extract sensitive information related to customers or internal systems, or impact our ability to function normally, then stop your test and notify us immediately. This is absolutely essential for us to consider your disclosure a responsible one. We may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impacting our systems.

Vulnerabilities discovered on our systems while testing within the scope of this policy can be reported by emailing it to infosec@docon.co.in Please ensure that the following information is available when submitting a vulnerability report.

‍

• Description of the location and potential impact of the vulnerability. Please include any CVEs (Common Vulnerabilities and Exposures) when available.
• A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
• Any technical information and related materials we would need to reproduce the issue.
• If possible please include the contact details (email, mobile number) to let our Security team reach out to you for any clarifications.

‍

Note that reports that include only crash dumps or other automated tool output will not be accepted.

Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors or open source projects.

Docon does not have a bounty/cash reward program for vulnerability disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we will gladly acknowledge your contribution publicly in this section of our website. Of course, this will only be done if you want a public acknowledgement.

• Must be the first person to responsibly disclose the vulnerability
• Vulnerability discovered must be found when testing within the scope of this policy
• Reported vulnerability significantly impacts security and integrity of Docon products or impacts the privacy of customer or partner data
• Vulnerabilities are rated Critical, High, Medium and low, Only vulnerabilities rated Critical and High are eligible for the Hall of Fame.