Security Vulnerability Disclosure Policy

Introduction

Peppy, operated by Peppy Health Limited (“Peppy”) is digital health platform, providing tailored, expert-led support to individuals before they need to see a doctor, bridging the gap between online searches and hard-to-access clinical care. We provide people with support when they need it the most, and we’ve been told by our users that our service is a life-saver.

This policy applies to any vulnerabilities you’re considering reporting to us. Please read this document fully prior to reporting any vulnerabilities to ensure that you understand the policy and can act in compliance with it.

We really do value those who take the time and effort to report security vulnerabilities according to this policy. However, we aren’t able to offer monetary rewards for vulnerability disclosures.

Reporting

If you believe you’ve found a security vulnerability, please submit your report to us via email to security@peppy.health. We would prefer you to use encrypted communications. For email, our PGP key details can be found via our security.txt file and below.

In your report, please include details of:

  • The website, IP or page where the vulnerability can be observed.
  • A brief description of the type of vulnerability, for example; “XSS vulnerability”.
  • Steps to reproduce. In accordance with industry convention, these should be a benign, non-destructive, proof of concept.
  • Please ensure that you do not send any proof of of exploit in plaintext email
  • Please do not send any Personally identifiable information (PII) by email.
  • Please also ensure that all proof of exploits are in accordance with our guidance (below).

This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

If you’re in any doubt, please email security@peppy.health for advice.

What to expect

After you’ve submitted your report, we’ll respond within 5 working days (usually much quicker) with a ticket number, and aim to triage your report within 10 working days. We’ll try to keep you well informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You’re welcome to enquire on the status but please do so from the same email address that submitted the report, quoting the ticket number, and avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.

We’ll notify you when the reported vulnerability is remediated (or remediation work is scheduled), and you may be invited to confirm that the solution covers the vulnerability adequately.

We’ll offer you the opportunity to feed back to us on the process and relationship as well as the vulnerability resolution. This information will be used in strict confidence in order to help us improve the way in which we handle reports and/or develop services and resolve vulnerabilities.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

We publicly acknowledge reporters of vulnerabilities on this page and we’ll ask for the details you wish to be included. We will not name you without your consent.

Guidance

You MUST NOT:

  • Break any applicable law or regulations.
  • Violate the privacy of Peppy’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
  • Access unnecessary, excessive or significant amounts of data. A small number of records is enough to demonstrate a vulnerability.
  • Modify data in Peppy’s systems or services.
  • Use automated, high-intensity, invasive or destructive scanning tools to find vulnerabilities.
  • Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
  • Disrupt Peppy’s services or systems.
  • Probe systems run by third parties, even if they’re used by Peppy.
  • Submit reports relating to TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support; non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers; or Email configuration issues (SPF, DKIM, DMARC).
  • Communicate any vulnerabilities or associated details other than by means described in the published security.txt. In particular, please do not send security vulnerability disclosures through Peppy’s end-user support channels.
  • Social engineer, ‘phish’ or physically attack Peppy’s staff or infrastructure.
  • Demand financial compensation in order to disclose any vulnerabilities.
  • Disclose any vulnerabilities in Peppy’s systems/services to 3rd parties or the public prior to Peppy confirming that those vulnerabilities have been mitigated or rectified. This doesn’t prevent notification of a vulnerability to 3rd parties to whom the vulnerability is directly relevant, for example where the vulnerability being reported is in a software library or framework – but details of the specific vulnerability of Peppy must not be referenced in such reports. If you’re unsure about the status of a 3rd party to whom you wish to send notification, please email security@peppy.health for clarification.

You must always comply with data protection rules, and securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

If you’re unsure at any stage whether the actions you’re thinking of taking are acceptable, please contact our security team for guidance at security@peppy.health. As ever, please do not include any sensitive information in plaintext email.

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice among well intentioned security researchers, and ISO/IEC 29147:2018.

It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Peppy or partner organisations to be in breach of any legal obligations, including but not limited to:

  • The Computer Misuse Act (1990)
  • The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
  • The Copyright, Designs and Patents Act (1988)

Peppy Health Ltd affirms that we will not seek prosecution of any security researcher who reports any security vulnerability on a Peppy service or system, where the researcher has acted in good faith and in accordance with this disclosure policy. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Feedback

If you wish to provide feedback or suggestions on this policy, please contact our security team at security@peppy.health. This policy will evolve over time and your input will be valued to ensure that it is clear, complete and remains relevant.

Our PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYbniZRYJKwYBBAHaRw8BAQdAnB7dwNLQeXOSHNeUjyDkiaX8gtz5clFdGb2g
DDcfgJe0NlBlcHB5IEhlYWx0aCBMdGQgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlA
cGVwcHkuaGVhbHRoPoiUBBMWCgA8FiEErvRpYUFOhD90UNBqYm4Fy1LjXWQFAmG5
4mUCGwMFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEGJuBctS411kbrIB
ANCUeGzbidvXSjjnR6iArv0hfpXtbjhorsXqR5L6SdsYAQDIRMGPwL/3hWQRDYnL
Kewv4B05pIAgnaN9Aik2z5BHDLg4BGG54mUSCisGAQQBl1UBBQEBB0D4UPwHI+ok
b45J+0gdO5Jq1hjLeKlSIZOuiOLYIcUhPwMBCAeIeAQYFgoAIBYhBK70aWFBToQ/
dFDQamJuBctS411kBQJhueJlAhsMAAoJEGJuBctS411k+JoBAISg6HXp5FT3KAea
AxV1ooSlg97MQfQn2fIrB/e8FC+TAQC6oGGzDSmW637JMUJQe2JTeFZr5mNgwtSm
E6VtKRD4Aw==
=rEIp
-----END PGP PUBLIC KEY BLOCK-----