Security Compliance at Virta Health
Vulnerability Disclosure Program
Version 1.0 - June 2023
You MUST read and agree to abide by the guidelines in this policy for conducting security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Virta Health information systems.
We will presume you are acting in good faith when you discover, test, and submit reports of vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:
- You MUST NOT proceed with testing unless you go through the approval process. You must request an approval to conduct vulnerability research before you start. Send your request to firstname.lastname@example.org with the following information:
- Your full information including your location. You MUST be located within the US.
- Type of vulnerability research you will be conducting.
- The organization you are working for. (an individual or part of a group)
- If Virta’s Infosec team approves your request, they will notify you what Virta’s information systems to test and detect a vulnerability or identify an indicator related to a vulnerability for the sole purpose of providing Virta information about such vulnerability.
- You MUST avoid harm to Virta information systems and operations.
- You MUST NOT exploit any vulnerability beyond the minimal amount of testing required to prove that the vulnerability exists or to identify an indicator related to that vulnerability.
- You MUST NOT intentionally access the content of any communications, data, or information transiting or stored on Virta information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- You MUST NOT exfiltrate any data under any circumstances.
- You MUST NOT intentionally compromise the privacy or safety of Virta personnel or any legitimate third parties.
- You MUST NOT intentionally compromise the intellectual property or other commercial or financial interests of any Virta personnel or entities or any legitimate third parties.
- You MUST NOT disclose any details of any existing Virta information system vulnerability or indicator of vulnerability to any party not already aware at the time the report is submitted to Virta.
- You MUST NOT disclose any incidental proprietary data revealed during testing or the content of information rendered available by the vulnerability to any party not already aware at the time the report is submitted to VIRTA.
- You MUST NOT cause a denial of any legitimate services in the course of your testing.
- You MUST NOT conduct social engineering in any form of VIRTA personnel or contractors.
- You MUST NOT submit a high-volume of low-quality reports.
- You MUST comply with all applicable Federal, State, and local laws in connection with security research activities or other participation in this vulnerability disclosure program.
How To Submit a Report
The InfoSec team will confirm during the approval process how to submit your report and what to include in the report.
An example of the vulnerability report would include a detailed summary, including:
- Type of vulnerability;
- IP Address or hostname;
- Description of vulnerability;
- Instructions to replicate;
- Potential impact to system/site;
- Recommended remediation actions.
We take every disclosure very seriously, and very much appreciate your efforts (if you were approved to conduct this research). We are committed to coordinating with you as openly and expeditiously as possible. The contents of information provided in the reports and follow-up communications are processed and stored on the Virta information system. You can expect us to do the following:
- We SHALL investigate every reported (high / critical) vulnerability and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
- We SHALL, to the best of our ability, validate the existence of the vulnerability.
- We SHALL request 30 days for acknowledgement and 90 days for mitigation, development, and deployment.
- We MAY decide to pay or not to pay based on the criticality of the vulnerability. This can be determined during the approval process.
Legal / Authorization
If Virta’s InfoSec team approves your research request, and you make a good faith effort to conduct your research and disclose vulnerabilities in accordance with the guidelines set forth in this policy,
- VIRTA will not recommend or pursue any law enforcement or civil lawsuits related to such activities, and
- in the event of any law enforcement or civil action brought by any entity other than VIRTA, VIRTA will affirm that your research and disclosure activities were conducted pursuant to, and in compliance with, this policy.
This agreement is effective at the time you submit your request.
VIRTA does not authorize, permit, or otherwise allow (expressly or implicitly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. Any activities that are inconsistent with this policy or the law may lead to criminal and/or civil liabilities.
VIRTA may modify the terms of this policy, or suspend this policy at any time.