Responsible Disclosure Policy

General

Babylon takes the protection of our members’ health information very seriously. We use a Secure Software Development Lifecycle process to ensure that security and data protection are at the heart of our information governance program. We always seek to improve what we do and feedback from our users is especially important to us. We value the responsible disclosure of security vulnerabilities carried out by well-intentioned and ethical security researchers. This helps us to keep information safe and improve our business.

We would ask researchers to please not publicly disclose details of vulnerabilities without contacting Babylon first, so that we can ensure our users’ sensitive information is protected. We will happily give a donation to charity for any vulnerabilities that are found, assuming that you have contacted us first and we have given you written agreement before making any details public.


Policy

  • If you have found a potential vulnerability (that fits within the notification criteria listed below) please tell us about it, by emailing us in English at: responsible.disclosure@babylonhealth.com
  • You can expect to receive acknowledgement from the Babylon security team within 48 hours of your submission
  • Babylon does not provide submitters with financial rewards, but we are happy to make an appropriate donation to charity for every valid vulnerability submitted. A list of charities we support is listed within the Charitable Donations section below
  • Guidelines for the type of testing allowed cannot modify or destroy any personal data other than your own, and cannot violate any of Babylon’s or its partners’ Privacy Policies
  • Babylon will investigate your responsible disclosure submission findings and the priority for fixes and/or mitigations will be assigned based on severity classification, impact and ease of exploitation
  • We will provide feedback on the outcome of our investigation privately and confidentially to the submitter
  • Upon validating an issue, Babylon will remediate in a timely manner, in accordance with our relevant security policies
  • Babylon will notify the submitter once the vulnerability is remediated
  • All disclosures must be made following Babylon’s Responsible Disclosure Program Policy
  • We would ask anyone not to report vulnerabilities publicly (for example to the press or within a social media stream or other public domain) due to the potential impact this could have on our users. We would consider this irresponsible disclosure and ask for the chance to fix any vulnerabilities before announcements are made public.


Acceptable Scope and Guidelines

We may make changes to our Responsible Disclosure Program, so please visit frequently to keep up-to-date and ensure you stay within its scope.


Disclosure Reporting Guidelines

Within your submission email to responsible.disclosure@babylonhealth.com, please provide in English:

  • Your name;
  • A description of the vulnerability
  • Date and time you identified the vulnerability
  • How you identified the vulnerability
  • Your determination of the potential impact of the bug or vulnerability
  • A detailed workflow of steps taken so that we can reproduce the bug or vulnerability
  • Screen-shots or recorded proof of concept, where applicable, so that we can reproduce the bug or vulnerability.

We ask that you securely delete all the data you retrieved during your research as soon as it is no longer required, or at the very latest one month after the vulnerability is resolved.

If, at any point, you are unsure whether the actions you are thinking of taking agree with our Responsible Disclosure Policy, please contact us in English at responsible.disclosure@babylonhealth.com. Please do not include any sensitive information in any initial communications.


Domains in Scope

These are the domains (and any subdomains) that are considered in scope and for which we welcome reports:

  • babylonhealth.com
  • babylonpartners.com
  • babylonhealth.io
  • bbl.health
  • babylontech.co.uk
  • babylonbytelushealth.com
  • babylonstatic.com
  • gpathand.net
  • babyl.co.uk
  • babyl.rw
  • babylonpartners.rw
  • babylonhealth.rw
  • babylon.healthcare
  • babylon-secure.com


Notification Criteria

We particularly welcome reports of bugs on any of the following:

  • Authentication and access control issues
  • Security mis-configuration issues relating to our systems or resources
  • Sensitive data exposure
  • Cross-site scripting (XSS)
  • Remote code execution (RCE)
  • SQL or XML external entities (XXE) & command injection
  • Server side request forgery (SSRF)
  • Cross-site request forgery (CSRF)
  • Open redirects
  • Vulnerabilities found in third party services that Babylon uses


We do not need to be notified for all findings

The following are examples of findings that you do not need to notify us about:

  • DDoS
  • Social engineering attacks, including phishing (or similar)
  • Reports or findings generated from scanning tools without false positives removed and without confirmation that issues are relevant in context
  • SSL/TLS scans
  • Disclosure of data that is clearly not sensitive
  • Insecure configuration with no obvious impact
  • Self-attempted Brute Force Attacks
  • HTML injection and self cross-site scripting (self-XSS)
  • Session timeouts
  • Host header and banner grabbing issues
  • Logout CSRF
  • User enumeration (e.g. user email, user id)
  • EXIF data not stripped on images


Charitable Donations

We would like to express our deepest gratitude and appreciation to all researchers for their valid contributions to our Responsible Disclosure program.

As a gesture of our appreciation, and at our discretion and according to the appropriateness of the severity level, we will make a donation to a charity of your choice from our list below:

  • Macmillan Cancer Support
  • Breast Cancer Now
  • KidsOut
  • National AIDS Trust


Any other security questions?

We are always happy to hear from our members. If you have any other security-related questions, you can reach out to our security team by emailing: security.enquiries@babylonhealth.com


Confidentiality

Please note that any information you receive or collect about us, our affiliates, our products or services, or any of our users, employees or agents must be kept confidential and used only in connection with this policy. Please do not use, disclose or distribute any such information, including without limitation any information regarding your submission, without our prior written consent.


Legalities

We have designed this policy to be in line with common good practice. It does not give you permission to act in any way that is inconsistent with the law or to cause Babylon to breach any of its legal obligations, including but not limited to:

  • The Copyright, Designs and Patents Act (1988)
  • The Computer Misuse Act (1990)
  • The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018

You should never illegally or in bad faith use the existence of a vulnerability / bug or access to sensitive or confidential information, such as making extortion demands, ransom requests or any other similar actions.

Babylon reserves all legal rights in the event of any non-compliance with this policy.