Security



Goals


Halodoc security vulnerability bounty is designed to :
  1. Reward those who responsibly disclose vulnerabilities on Halodoc properties
  2. Help making Halodoc more secure for it's users

How to report


Send an email with all the details to security@halodoc.com

The email should contain at least the following information:

  1. Vulnerability type (XSS, Session Hijack, etc)
  2. Vulnerable service (Mobile apps, API, public website etc)
  3. Details about vulnerability
  4. A proof of concept of the vulnerability (logs, screenshots or video as applicable)

Responsible disclosure


  1. Please do not publicly disclose the vulnerability until it has been patched.
  2. We will privately acknowledge each incident reported at security@halodoc.com. Patching of the disclosed vulnerability may take some time depending on the complexity of the vulnerability. We request the security researcher to provide us reasonable amount of time before making the vulnerability public.
  3. Do not access private, sensitive data of any user without their explicit approval.
  4. Do not run any tests that may disrupt or degrade Halodoc services. Be especially careful before running scanners or similar automated tools.

Our promise


  1. We will acknowledge each incident reported as soon as we can.
  2. We will be fast in patching any vulnerability reported. We will keep the reporter informed about the progress.
  3. We will pay a bounty once the vulnerability is patched.

Eligibility


  1. The reported vulnerability should be a bug that compromises integrity of user data, bypasses privacy protections or enables unauthorised access. Other types of bugs are not eligible.
  2. Reporter should be the first to disclose the vulnerability.

Bounties


Our awards will start from IDR 250.000. More serious vulnerabilities will be awarded higher amounts.

Terms and conditions


  1. Do not violate any legal laws. Don't be evil. Halodoc retains the right to pursue legal action if "Responsible Disclosure" is not followed.
  2. Eligibility & amount given out as bounty is at the sole discretion of Halodoc.
  3. For testing for vulnerabilities, use your own account. Testing should not violate any laws or access data of other users without their explicit approval.
  4. Halodoc retains the right to modify or terminate this program at anytime without notice.



Goals


Halodoc security vulnerability bounty is designed to :
  1. Reward those who responsibly disclose vulnerabilities on Halodoc properties
  2. Help making Halodoc more secure for it's users

How to report


Send an email with all the details to security@halodoc.com

The email should contain at least the following information:

  1. Vulnerability type (XSS, Session Hijack, etc)
  2. Vulnerable service (Mobile apps, API, public website etc)
  3. Details about vulnerability
  4. A proof of concept of the vulnerability (logs, screenshots or video as applicable)

Responsible disclosure


  1. Please do not publicly disclose the vulnerability until it has been patched.
  2. We will privately acknowledge each incident reported at security@halodoc.com. Patching of the disclosed vulnerability may take some time depending on the complexity of the vulnerability. We request the security researcher to provide us reasonable amount of time before making the vulnerability public.
  3. Do not access private, sensitive data of any user without their explicit approval.
  4. Do not run any tests that may disrupt or degrade Halodoc services. Be especially careful before running scanners or similar automated tools.

Our promise


  1. We will acknowledge each incident reported as soon as we can.
  2. We will be fast in patching any vulnerability reported. We will keep the reporter informed about the progress.
  3. We will pay a bounty once the vulnerability is patched.

Eligibility


  1. The reported vulnerability should be a bug that compromises integrity of user data, bypasses privacy protections or enables unauthorised access. Other types of bugs are not eligible.
  2. Reporter should be the first to disclose the vulnerability.

Bounties


Our awards will start from IDR 250.000. More serious vulnerabilities will be awarded higher amounts.

Terms and conditions


  1. Do not violate any legal laws. Don't be evil. Halodoc retains the right to pursue legal action if "Responsible Disclosure" is not followed.
  2. Eligibility & amount given out as bounty is at the sole discretion of Halodoc.
  3. For testing for vulnerabilities, use your own account. Testing should not violate any laws or access data of other users without their explicit approval.
  4. Halodoc retains the right to modify or terminate this program at anytime without notice.