Innovaccer Bug Reporting

Innovaccer is committed to the security of our products and customers. We reward reporters for the responsible disclosure of in-scope issues and exploitation techniques.

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.

Note: We don’t have bug bounty practice for now, but we’d acknowledge your efforts with hall of fame certificate.

Eligibility

Be the first to report the issue to us. Please adhere to the following guidelines to report a bug:

  1. Ensure that your report pertains to an item explicitly listed under the Vulnerability Categories.
  2. Your report must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
  3. You agree to participate in testing the effectiveness of the countermeasure applied to your report.
  4. You agree to keep any communication with Innovaccer private.
  5. You can report Bugs anonymously but we expect some form of e-mail id for communication.
  6. Form below is the only mode of bug reporting, other means of communication will make you ineligible

Vulnerability Categories

# Vulnerability Type Comment
1. Cross-Site Request Forgery With significant security impact
2. Cross-Site Scripting Self-XSS is out of scope
3. Open Redirects With significant security impact
4. Cross Origin Resource Sharing With significant security impact
5. SQL injections
6. Server Side Request Forgery
7. Privilege Escalation
8. Local File Inclusion
9. Remote File Inclusion
10. Leakage of Sensitive Data
11. Authentication Bypass
12. Directory Traversal
13. Payment Manipulation
14. Remote Code Execution
15. Replay Attack
16. Vulnerable Library
17. Session Hijacking
18. Overflow attacks

** Any valid vulnerability with significant Security Impact


Rules

  • Don't violate the privacy of other users, destroy data, disrupt our services, etc.
  • Don't request updates on an hourly basis. We are handling dozens of reports daily, and spam impacts Innovaccer's Bug Reporting Program efficiency.
  • Only target your own session/accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the session/accounts of other users without the express permission of our team.
  • Don't target our physical security measures or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
  • In case you find a severe vulnerability that allows system access, you must not proceed further.
  • It is Innovaccer’s decision to determine when and how bugs should be addressed and fixed.
  • Disclosing bugs to a party other than Innovaccer is forbidden. All bug reports remain at the reporter’s and Innovaccer’s discretion.
  • Threatening of any kind will automatically disqualify you from participating in the program.
  • Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
  • Bug disclosure communications with Innovaccer’s Security Team should remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.