Security

Elektra Labs Coordinated Disclosure Policy

At Elektra Labs, we see ourselves as a leader in protecting security and privacy, and we realize that potential security issues are inevitable. Our systems are designed with a security-first framework in mind. We perform threat modeling and adversarial resilience testing as the foundation to any solution we provide. In addition to these industry-standard policies, we welcome security researchers to inform us of any vulnerabilities that could cause human harm and/or compromise the confidentiality, integrity, or availability of our systems.

The following lays out the policy of how we would interact with and structure and informed dialog with any security researcher that claims to have found any such issues, and enumerates our intentions, expectations, and intake mechanisms for how to handle these events.

Program scope

Elektra authorizes good-faith research into any of our digital assets, including:

Our web portal

Our web infrastructure (hosted on AWS)

Our GitHub repositories

Additionally, all vulnerabilities that require or are related to the following are out of scope:

Social engineering

Physical security

For vulnerabilities in third-party libraries, systems, or code, we will guide researchers to report those to the appropriate parties (directly, or through third parties, like CERT/CC). If reported to Elektra Labs, we may also report the issue through our supply chain and to relevant third-parties, because this can often improve responsiveness of the software maker.

We do not, at this time, pay bounties or maintain a “hall of fame” for vulnerability reports.

Elektra supports security researchers acting in good faith!

Elektra Labs works closely with the security research community at DEF CON, among other venues. We believe that well-intentioned security research improves patient safety and overall clinical effectiveness. We do not intend to take legal action against security researchers who appear to be acting in good-faith.

We consider research conducted under this policy to be:

Authorized in view of applicable anti-hacking and anti-circumvention laws; and

Exempt from conflicting restrictions in our Acceptable Use Policy.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you, we will take steps to make it known whether your actions were conducted in compliance with our policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.

What we expect from security researchers

We want to encourage vulnerability research, so to avoid any confusion between legitimate research and malicious activity, we ask that you, in good faith:

Play by the rules. Follow this policy and any other relevant agreement set forth by Elektra Labs;

Report any vulnerability you’ve discovered promptly;

Avoid violating others’ privacy, disrupting our systems, destroying data, and/or harming user experience;

Use only our official channels to discuss vulnerability information with us;

Protect the confidentiality of the details of any discovered vulnerabilities according to our Disclosure Policy;

Perform testing only on in-scope digital assets, and respect assets and activities which are out-of-scope;

If a vulnerability provides unintended access to data:

Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and

Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;

Limit interactions to test accounts you own;

Use accounts only with the explicit permission of the account holder;

Notify us of any plans or intentions for public disclosure; and

Do not engage in extortion.

What you can expect from us

When interacting with us in accordance with this policy, you can expect us to:

Respond to your submission within 10 days;

Maintain an open dialog;

Work with you to understand and validate your report;

Address discovered vulnerabilities in a timely manner;

Update you on progress, as appropriate; and

Notify you when we believe we have sufficiently addressed the reported issue.

How to report a vulnerability

To report a potential security vulnerability, send a message to [email protected].

If you’d like to PGP encrypt the message, here’s our.

PGP Key

Submission preferences and prioritizations

Reports will be most helpful if they:

Include how the bug was found, the impact, and any remediation suggestions;

Include proof-of-concept code to help diagnose root causes as quickly as possible;

Crash dumps and automated tool output are helpful, but if accompanied by code or steps toward reproducibility they’re significantly more valuable.

Are submitted in English; however, no submission will go unattended; and;

We encourage all good-faith reports; however, we have no control over third-party products. We will involve third-parties in issues as immediately and as responsibly as possible.

Further references

We developed this policy with the help of individuals from the leading coordinated vulnerability disclosure organizations and other resources, below:

I Am The Cavalry’s Position on Disclosure.

The CERT/CC, part of the non-profit Software Engineering Institute (SEI), and their Guide to Coordinated Vulnerability Disclosure.

CISA, the US government’s incident handling and vulnerability coordination organization.

The US Food and Drug Administration, regulator for medical devices.

Bug Crowd and HackerOne, companies that run disclosure programs for other organizations.

The US Department of Commerce, NTIA template and guidance document for vulnerability disclosure in safety critical systems.

The ISO/IEC 29147 Standard for Vulnerability Disclosure.

US Department of Justice Framework for Vulnerability Disclosure for Online Systems.

Google Vulnerability Disclosure Philosophy.

Microsoft Coordinated Vulnerability Disclosure policy.

Versioning

2019/10/08 v1.0 Initial publication

© 2019 ELEKTRA LABSSecurityPrivacy