Last updated: 12 June 2023
At Medicine Men we take the safety and security of our users very seriously. Not only are we ISO 27001 and NEN 7510 certified; ensuring these values are part of our company culture. We encourage vulnerability testing by security researchers and customers, with responsible reporting to Medicine Men.
At this page, https://medicinemen.eu/security, we provide guidelines and other information that we ask to follow when reporting vulnerability findings.
Our PGP public key >
- Please send your submissions to email@example.com and use our public PGP key to encrypt such submissions.
- Please include a reference or advisory number and sufficient contact information, so that we can get in touch with you.
- Please provide as many technical details as you can, including URLs you tested, relevant technical infrastructure and network configuration, date and time of testing, if possible your IP address from which you tested.
- Please provide all information needed to reproduce the issue on our side.
- If you have proof that the vulnerability has been exploited, please provide that also PGP-encrypted.
- If you communicate vulnerability information to vulnerability coordinators or other parties, please advise us and provide their tracking number if possible.
Our Assessment and Action
- We will acknowledge your report within three business days.
- We will assign and provide a unique tracking number.
- We will keep you informed of the status of your report.
- We will:
- Verify the reported vulnerability
- Work on a resolution
- Verify the effectiveness of the resolution
- Release the resolution to production
- Internally document and share lessons learned
- Do not include sensitive information, such as patient information, in any screen shots or other materials you provide us as part of your report.
- Please use demo/test environments to perform vulnerability testing.
- Please don’t DDOS us.
- Don’t take advantage of the vulnerability or problem you have discovered, for example by downloading more than the absolute minimum of data needed to demonstrate the problem, or by deleting or modifying any data. For example, instead of sending files themselves, you could send directory listings.
- If requested we will provide credit to researchers by listing them on our hall of honors.