VULNERABILITY DISCLOSURE POLICY
Meri Pharmacy is committed to maintaining the security and integrity of our products and our customers and partners. We understand the importance of critical healthcare data. We strive to safeguard our systems and data in compliance with security best practices and standards. While every effort is expended to ensure that the websites, mobile applications as well as internal systems are secured, we welcome vulnerability reports that can help further enhance the security, integrity, and privacy of our systems. We take every vulnerability disclosure seriously and are committed to creating a safe & transparent environment to report vulnerabilities.
Rules of Engagement
- Reporters submitting a vulnerability to Meri Pharmacy agree to be bound by the terms of the Vulnerability Disclosure Policy (“Terms“)
- We explicitly specify what is in scope and out of scope when discovering vulnerabilities and clearly mention the same in the sections below.
- Reporters should make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Reporters should only use/exploit to the extent necessary to confirm a vulnerability.
- Reporters should not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems.
- Once a reporter establishes that a vulnerability exists, or encounters any sensitive data, the reporter should stop any further testing and notify us immediately.
- Reporters shall keep any information about discovered vulnerabilities confidential after submitting the vulnerability report.
- We discourage violation of any applicable laws and breach of any agreements to discover vulnerabilities.
- Meri Pharmacy reserves the right to pursue legal action when the term of this policy is violated or when testing is performed outside the scope of this policy.
- Meri Pharmacy may include an NDA and make updates to this policy from time to time.
- The decision made by our security team regarding validity, severity & impact of a vulnerability will be considered final and cannot be contested.
- We may share your vulnerability reports with any affected partners, vendors or open-source projects.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Meri Pharmacy will not initiate or recommend legal action related to your research.
In Scope - Web properties owned by Meri Pharmacy, specifically
If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately
- Personally identifiable information
- Financial information (e.g. credit card or bank account numbers)
- Proprietary information or trade secrets of companies, partners, or vendors.
- If the identified vulnerability can be used to potentially extract information sensitive information related to customers or internal systems, or impact our ability to function normally, then stop your test and notify us immediately. This is absolutely essentials for us to consider your disclosure a responsible one. We may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impacting our systems.
Out Of Scope
Any services not expressly listed In Scope, such as any connected services, partner & vendor websites are excluded from scope.
- Connected services
- Partner & vendor websites
- Vendor Endpoints
- Delivery App Endpoints
- Warehouse Endpoints
- 3rd Party Applications
If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We may in our sole discretion modify or amend the scope of this policy from time to time.
The following types of tests are not authorized
- User interface bugs or typos.
- Network denial of service (DoS or DDoS) tests.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
Reporting an issue
Vulnerabilities discovered on our systems while testing within the scope of this policy can be reported by emailing it to firstname.lastname@example.org or by mail using the details provided below:Meri Pharmacy
21-C Commercial Area, Old Sunset Boulevard,
DHA-II, Karachi, Pakistan.
Please ensure that the following information is available when submitting a vulnerability report.
- Description of the location and potential impact of the vulnerability. Please include any CVEs when available.
- A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
- Any technical information and related materials we would need to reproduce the issue.
- If possible please include the contact details (email, mobile number) to let our Security team reach out to you for any clarifications.
Note that reports that include only crash dumps or other automated tool output will not be accepted. Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors or open source projects.
Meri Pharmacy does not have a bounty/cash reward program for vulnerability disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we will gladly acknowledge your contribution publicly in this section of our website. Of course, this will only be done if you want a public acknowledgement.