Innovaccer Bug Reporting

Innovaccer is committed to the security of our products and customers.

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.

If you believe that you have found a security vulnerability or Bug on any Innovaccer owned Website or Application, we encourage you to let us know straight away. Our Team will investigate all legitimate reports and do our best to quickly fix the problem.

Note: We don’t have bug bounty practice for now, but we’d acknowledge your efforts with a hall of fame certificate.

Eligibility

Be the first to report the issue to us. Please adhere to the following guidelines to report a bug:

  1. Ensure that your report pertains to an item explicitly listed under the Vulnerability Categories.
  2. Your report must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
  3. You agree to participate in testing the effectiveness of the countermeasure applied to your report.
  4. You agree to keep any communication with Innovaccer private.
  5. You can report Bugs anonymously but we expect some form of e-mail id for communication.
  6. Any Improper public disclosure/ misuse of information will entitle Innovaccer to take appropriate legal action.
  7. Form below is the only mode of bug reporting, other means of communication will make you ineligible

Response Targets

Innovaccer will make the best effort to meet the following response targets for hackers participating in our program:

  1. First response - 1 business day
  2. Time to triage - 3 business days

We’ll try to keep you informed about our progress throughout the process.

Vulnerability Categories

# Vulnerability Type Comment
1. Cross-Site Request Forgery With significant security impact
2. Authentication Bypass/Account Takeover
3. Open Redirects With significant security impact
4. Cross Origin Resource Sharing With significant security impact
5. SQL injections
6. Server Side Request Forgery
7. Privilege Escalation
8. Local File Inclusion
9. Remote File Inclusion
10. Leakage of Sensitive Data
11. Cross-Site Scripting Self-XSS is out of scope
12. Directory Traversal With sensitive information disclosure
13. Payment Manipulation
14. Remote Code Execution
15. Replay Attack
16. Vulnerable Library With significant impact over platform
17. Session Hijacking
18. Overflow attacks

** Any valid vulnerability with significant Security Impact

Program Rules

Please refrain from the following:

  • Trying DOS/DDOS attacks.
  • Automated Scanning.
  • Using vulnerability testing tools that automatically generate significant traffic.
  • Accessing private information (use your own accounts).
  • Performing actions that may negatively affect Innovaccer users (social engineering, phishing, spam, denial of service).
  • Submitting reports from automated tools without verifying them.
  • Performing brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
  • In case you find a severe vulnerability that allows system access, you must not proceed further.
  • It is Innovaccer’s decision to determine when and how bugs should be addressed and fixed.
  • Threatening of any kind will automatically disqualify you from participating in the program.
  • Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
  • Bug disclosure communications with Innovaccer’s Security Team should remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service and only interact with accounts you own or with the explicit permission of the account holder.
  • Don't request updates on an hourly basis. We are handling dozens of reports daily, and spam impacts Innovaccer's Bug Reporting Program efficiency.

In Scope

Domain: *.innovaccer.com

Out of Scope Vulnerabilities:

  • Issues related to software/application not under Innovaccer’s control or owned by some third party.
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
  • Missing security headers which do not lead directly to a vulnerability.
  • Clickjacking without an impact.
  • Known-vulnerable library (without evidence of exploitability).
  • Spam & rate limiting.
  • SSL/TLS protocol vulnerabilities.
  • Best practice concerns will be reviewed, but in general, we require evidence of a vulnerability.
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms .
  • Social engineering attacks.
  • User enumeration .
  • Any activity that could lead to the disruption of our service (DoS).
  • Open Redirection.