Safe Harbor Policy

Summary

If you have discovered a security vulnerability within any of our applications, we appreciate your assistance in disclosing it in a coordinated manner.

We want you to coordinate disclosure through our vulnerability program, and do not want researchers have the fear of legal consequences because of their good faith attempts to alert us of said vulnerabilities in our software.  We cannot bind any third-party, so do not assume this protection extends to any third-party.  If in doubt, please ask us before engaging in any specific action you perceive as going outside the bounds of our software.

Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties.  We may provide non-identifying sustentive information from your disclosure to an affected third-party, but only after notifying you and receiving commitment that the third-party will not pursue legal action against you.  We will only share identifying information (name, email, phone number, etc..) with a third-party if you give your written permission.

If your research as part of this disclosure violates restrictions in site policies, the safe harbor terms permit a limited exemption.

Safe Harbor Terms

To encourage research and coordinated disclosure of security vulnerabilities, we will not pursue civil or criminal action or send notice to law enforcement for accidental or good faith violations of this policy.  We consider security research and vulnerability disclosure activities conducted consistent with the policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act (DMCA), and other applicable computer use laws such as Cal. Penal Code 502(c).  We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this scope.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party, we cannot bind that third party, and they may pursue legal action or notify law enforcement.  We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third-party action based on your actions.

You are expected to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this vulnerability program permits.

Please contact us at infosec@elliginthealth.com prior to engaging in conduct that may be inconsistent with or unaddressed by this policy.  We reserve the right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision.

Third-Party Safe Harbor

If you submit a report through our vulnerability reporting program which affects a third-party service, we will limit what we share with any affected third-party.  We may share non-identifying content from your report with an affected third party, but only after notifying you that we intend to do so and getting the third party’s written commitment that they will not pursue legal against you or initiate contact with law enforcement based on your report.  We will not share your identifying information with any affected third party without first getting your written permission to do so.

Please note, we cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of this policy.  Refer to that third-party’s bug bounty or vulnerability disclosure program, if one is available, or contact the third party directly or through a legal representative before initiating any testing on that third party or their services.  This should not be understood as any agreement on our part to defend, indemnify, or otherwise protect you from any third-party action based on your actions.

If legal action is initiated by a third-party, including law enforcement, against you because of your participation in this program, and you have sufficiently complied with our policy (not made intentional or bad faith violations), we will take steps to make it known that your actions were conducted in compliance with policy.  While we consider submitted reports both confidential and potentially privileged documents, and protected from compelled disclosure in most circumstances, please be aware that a court could, despite our objections, order us to share information with a third-party.