Responsible Security Disclosure​

Our policy on supporting responsible disclosure

Orion Health supports the responsible disclosure of security vulnerabilities, as it is one of our top priorities to protect the privacy of our customer and patient data.

 

We ask that if external parties find any sensitive information, potential vulnerabilities and/or weaknesses that they please help by disclosing it to us in a responsible manner.

We request that parties do not engage in any of the following:

  • Attempts to modify/destroy/corrupt other users data.
  • Attempts to (D)DoS Orion Health products, services or applications.
  • Any violations of applicable law.
  • Accessing other users’ account details or any other user’s private information PHI.

We may ask parties to destroy any information they hold that does not belong to them, after we have confirmed the vulnerability. This includes Protected Health Information (PHI) or Personally Identifiable Information (PII), and any other information we deem a threat to the security of our customers.

Customer Security:

Since we deal with PHI and PII we require that any such information is transmitted and/or stored securely. We request that details of any PHI/PII or the disclosed vulnerability not be disclosed to any third parties or to the public to the extent legally possible.

Bug bounty:

We do not currently have a paid bug bounty program.

Commitment:

Reports submitted to Orion Health in good faith, and pursuant to this process, will result in Orion Health’s commitment to the following:

  • We will acknowledge any person who responsibly discloses bugs/vulnerabilities in our products or infrastructure in the product change logs/release notes, unless they choose to remain anonymous.
  • Any information shared with us will be kept confidential within Orion Health where permitted by law.

Contact:  security.disclosures@orionhealth.com