Responsible Disclosure Policy
At ThriveDX, safeguarding the security and privacy of our users is our top priority. We are dedicated to upholding the highest standards across all our systems and data, but while striving for perfection, we acknowledge that some vulnerabilities may go unnoticed.
This policy details our approach to addressing potential vulnerabilities and offers clear guidelines for security researchers on how to report them responsibly. Your contributions help us ensure a safer experience for everyone.
Found a Security Vulnerability? Let's Work Together.
If you think you’ve discovered a security vulnerability in one of our systems, we want to hear from you! Please report it directly to our security team at security@thrivedx.com. Also, to help us address the issue as swiftly as possible, please include detailed information, such as:
- A clear description of the vulnerability.
- Information regarding the systems affected and potential impact.
- Steps to reproduce the issue and any relevant proof of concept, screenshots, or logs.
Things to Focus On
This policy applies to any vulnerabilities found within systems owned, operated, or maintained by ThriveDX. Specifically, this includes:
- Websites, applications, and APIs owned or operated by ThriveDX.
- Any publicly accessible systems, endpoints, or services directly managed by us.
- Any other digital assets clearly belonging to ThriveDX.
Things to Avoid
While we encourage the responsible disclosure of security vulnerabilities, specific findings are considered out of scope and will not be eligible for further investigation or response. These include, but are not limited to:
- Third-party services or products that are not directly managed by ThriveDX.
- Social engineering attacks (such as phishing).
- Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.
- Physical security of our offices or data centers.
- Issues related to the presence of or lack of email best practices (e.g., SPF, DKIM, DMARC).
Our Commitment
Upon receiving your report, we commit to:
- Acknowledge your report within 7 business days.
- Provide an estimated timeline for resolution, if applicable.
- Keep you updated on the progress of the investigation.
- Notify you once the issue has been resolved and seek your feedback on the solution.
Guidelines for Responsible Disclosure
To protect our users and systems, we ask that you:
- Keep from publicly disclosing discovered vulnerabilities until we’ve had a chance to investigate and address them.
- Avoid actions that could cause harm, such as accessing, modifying, or deleting data that doesn’t belong to you.
- Refrain from violating the privacy of others by accessing or disclosing personal information.
- Follow our policies and all relevant laws during your research.
Legal Considerations
This policy is not intended to authorize any activity that violates applicable laws. By reporting vulnerabilities to us, you agree to comply with all relevant legal requirements and refrain from any actions that could harm our systems, compromise user data, or violate privacy. We value your responsible approach to helping us protect our users, and we expect all interactions to be conducted in good faith.
Staying Updated
Please note that we may update this policy occasionally as required. We encourage you to keep this in mind when reviewing our guidelines.
Get In Touch
If you have questions or need more information, please contact us at security@thrivedx.com. We appreciate your efforts to help us ensure the safety and security of our users.
