Orange Health is among the fastest-growing diagnostic-tech companies in India. Our vision is to make healthcare seamless for consumers in their homes by enabling doctors to treat their patients in real-time.

We recognize the importance of digital security to protect our systems, data, healthcare records, and most importantly, the privacy of our customers, patients, and partners. Our internal team works tirelessly to safeguard our systems and protect our patients' privacy, but we know that even the best teams can benefit from an extra set of eyes.

The Responsible Disclosure Policy, as described below, allows and enables security researchers, ethical hackers, and concerned individuals to responsibly disclose any vulnerabilities they may find in our systems. By collaborating with the security community, we aim to continuously improve our defences, ensuring a safer and more secure environment for our users.

We value and appreciate the contributions of the security research community in helping us protect the sensitive health information of our customers, patients, and partners and securing the digital presence of the healthcare community at large.

• All services and websites of Orange Health hosted on the orangehealth.in domain - *.orangehealth.in
• Mobile Applications of Orange Health available for iOS and Android Operating Systems

• Issues related to rate limiting, brute forcing, or denial of service scenarios (including account enumeration)
• Email verification or impersonation
• Missing best practices in SSL/TLS configuration
• Missing best practices in Content Security Policy (CSP)
• Missing security headers which don’t directly lead to a vulnerability or account compromise
• Presence of common public files, such as robots.txt or files in the .well-known directory
• Missing DNS and email best practices (invalid, incomplete or missing DNSSEC/SPF/DKIM/DMARC records, etc.)
• Information disclosure including software version disclosure, banner identification issues, descriptive error messages or headers (e.g. stack traces, application or server errors)
• Password policy issues, including lack of upper limit on passwords
• Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc.)
• Attacks requiring Man-in-the-middle (MITM) or physical access to a user's device
• Vulnerabilities affecting users of older browsers (less than two versions behind the most recent stable version)
• Previously known vulnerable libraries (including prototype pollution) without a working Proof of Concept that illustrates a meaningful exploit or account compromise
• Clickjacking issues, without a working Proof of Concept that illustrates a meaningful exploit or account compromise
• Blind Server Side Request Forgery (SSRF), without a working Proof of Concept that illustrates a meaningful exploit or account compromise
• UI and UX bugs (including spelling mistakes)
• Orange Health social media accounts
• Sites and services provided to Orange Health by other organisations
• In the interest of the safety of our staff and our customers, the following test types are also out of scope:
• Social engineering or phishing of Orange Health’s workforce
• Any attacks against Orange Health’s physical property, offices, or datacenters
• Any attacks against other users of Orange Health

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorised, work with you to understand and resolve the issue quickly, and Orange Health will not initiate or recommend legal action related to your research.

You are expected to comply with all applicable laws. If legal action is initiated by a third party against you, and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy at our sole discretion. However, Orange Health cannot authorise any activity on third-party products without their written approval or guarantee they will not pursue legal action against you. We are not, in any way, responsible for your liability from actions performed on third parties.

You must not:

• Test any system other than the systems set forth in the ‘Scope’ section above
• Disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below
• Engage in physical testing of facilities or resources
• Engage in social engineering
• Send unsolicited email or communications to Orange Health users, including 'phishing' messages
• Execute or attempt to execute Denial of Service or Resource Exhaustion attacks
• Introduce malicious software
• Test in a manner which could degrade the operation of Orange Health systems; or intentionally impair, disrupt, or disable Orange Health systems
• Test third-party applications, websites, or services that integrate with or link to or from Orange Health systems
• Delete, alter, share, retain, or destroy Orange Health data, or render Orange Health data inaccessible, or
• Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Orange Health systems, or 'pivot' to other Orange Health systems

You may:

• view or store Orange Health nonpublic data only to the extent necessary to document the presence of a potential vulnerability.

You must:

• Cease testing and notify us immediately upon discovery of a vulnerability,
• Cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
• Purge any stored Orange Health nonpublic data upon reporting a vulnerability.
• Start second-level testing/pivoting from one vulnerability to a subsequent vulnerability only after requesting and receiving prior written permission from us.

Vulnerabilities discovered on our systems while testing within the scope of this policy can be reported by emailing secure@orangehealth.in. We will acknowledge receipt of the vulnerability within 48 hours. Please ensure that the following information is available when submitting a vulnerability report:

• Description of the location and potential impact of the vulnerability. Please include any CVEs (Common Vulnerabilities and Exposures) when available.
• A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
• Any technical information and related materials we would need to reproduce the issue.

If possible, please include contact details (email, mobile number) to let our Security team reach out to you for any clarifications.

Note that reports that include only crash dumps or other automated tool output will not be accepted.

Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors, or open-source projects.

We will maintain confidentiality and exclusivity in the disclosure and remediation process. Likewise, you shall also maintain confidentiality and handle information, including but not limited to the description of the vulnerability, shared findings, report, etc., with strict confidentiality. You shall not disclose any related information to third parties without written permission from our team.

Orange Health does not have a bounty/cash reward program for vulnerability disclosures, but we express our gratitude for your hard work by showcasing your name and contribution in our Hall of Fame.

If you have any blogs or want to publicly disclose the finding for educational purposes of the security community, you can do so after 30 days from the date of confirmation of the closure of the reported vulnerability by Orange Health.

Orange Health would like to thank following researchers for responsibly disclosing security vulnerabilities to us and helping make Orange Health more secure: