Responsible Disclosure Policy
Babylon takes the protection of our members’ health information very seriously. We use a Secure Software Development Lifecycle process to ensure that security and data protection are at the heart of our information governance programme. We always seek to improve what we do and feedback from our users is especially important to us. We value the responsible disclosure of security vulnerabilities carried out by well-intentioned and ethical security researchers. This helps us to keep information safe and improve our business.
We would ask researchers to please not publicly disclose details of vulnerabilities without contacting Babylon first, so that we can ensure our users’ sensitive information is protected.
- If you have found a potential vulnerability (that fits within the notification criteria listed below) please tell us about it, by emailing us at: [email protected]
- You can expect to receive acknowledgement from the Babylon security team within 48 hours of your submission
- Babylon does not provide submitters with financial rewards
- Guidelines for the type of testing allowed cannot modify or destroy any personal data other than your own, and cannot violate any of Babylon’s or its partners’ Privacy Policies
- Babylon will investigate your responsible disclosure submission findings and the priority for fixes and/or mitigations will be assigned based on severity classification, impact and ease of exploitation
- We will provide feedback on the outcome of our investigation privately and confidentially to the submitter
- Upon validating an issue, Babylon will remediate in a timely manner, in accordance with our relevant security policies
- Babylon will notify the submitter once the vulnerability is remediated
- All disclosures must be made following Babylon’s Responsible Disclosure Program Policy
- We would ask anyone not to report vulnerabilities publicly (for example to the press or within a social media stream or other public domain) due to the potential impact this could have on our users. We would consider this irresponsible disclosure and ask for the chance to fix any vulnerabilities before announcements are made public.
Acceptable Scope and Guidelines
We may make changes to our Responsible Disclosure Programme so please visit frequently to keep up-to-date and ensure you stay within its scope.
Disclosure Reporting Guidelines
Within your submission email to [email protected] , please provide:
- Your name;
- A description of the vulnerability
- Date and time you identified the vulnerability
- How you identified the vulnerability
- Your determination of the potential impact of the bug or vulnerability
- A detailed workflow of steps taken so that we can reproduce the bug or vulnerability
- Screen-shots or recorded proof of concept, where applicable, so that we can reproduce the bug or vulnerability.
We ask that you securely delete all the data you retrieved during your research as soon as it is no longer required, or at the very latest one month after the vulnerability is resolved.
If at any stage you are unsure whether the actions you are thinking of taking fit with our Responsible Disclosure Policy, please contact us at [email protected]. Please do not include any sensitive information in any initial communications.
Domains in Scope
These are the domains (and any sub-domains) that are considered in scope and for which we welcome reports:
We particularly welcome reports of bugs on any of the following:
- Authentication and access control issues
- Security mis-configuration issues relating to our systems or resources
- Sensitive data exposure
- Cross-site scripting (XSS)
- Remote code execution (RCE)
- SQL or XML external entities (XXE) & command injection
- Server side request forgery (SSRF)
- Cross-site request forgery (CSRF)
- Open redirects
- Vulnerabilities found in third party services that Babylon uses
We do not need to be notified for all findings
The following are examples of findings that are not necessary to notify to us:
- Social engineering attacks, including phishing (or similar)
- Reports or findings generated from scanning tools without false positives removed and without confirmation that issues are relevant in context
- SSL/TLS scans
- Disclosure of data that is clearly not sensitive
- Insecure configuration with no obvious impact
- Self-attempted Brute Force Attacks
- HTML injection and self cross-site scripting (self-XSS)
- Session timeouts
- Host header and banner grabbing issues
- Logout CSRF
- User enumeration (e.g. user email, user id)
- EXIF data not stripped on images
Any other security questions?
We are always happy to hear from our members, should you have any other security-related queries, you can reach out to our security team by emailing: [email protected]
Please note that any information you receive or collect about us, our affiliates, our products or services, or any of our users, employees or agents must be kept confidential and used only in connection with this policy. Please do not use, disclose or distribute any such information, including without limitation any information regarding your submission, without our prior written consent.
We have designed this policy to be in line with common good practice. It does not give you permission to act in any way that is inconsistent with the law or to cause Babylon to breach any of its legal obligations, including but not limited to:
- The Copyright, Designs and Patents Act (1988)
- The Computer Misuse Act (1990)
- The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
You should never illegally or in bad faith use the existence of a vulnerability / bug or access to sensitive or confidential information, such as making extortionate demands, ransom requests or any other similar actions.
Babylon reserves all legal rights in the event of any non-compliance with this policy.