Security Vulnerability Disclosure Policy

Last modified: 4 July 2023

Introduction

At Ada Health (Ada), we work hard to protect user data within our systems, applications, platforms, and services. We greatly appreciate security researchers, ethical hackers, and any other well-intentioned person who reports a security vulnerability to us. This policy defines the rules of engagement with Ada’s systems and how to communicate with Ada’s Information Security team. Please read this document in its entirety before you begin reporting or searching for vulnerabilities in Ada’s systems, and always act in compliance with it.

Scope of Activities

This policy only applies to Ada’s services and domains. Subdomains are considered within scope, if their parent domains are also within scope. Please only report issues related to the following:

  • Any website or service served from the *.ada.com and *.adahealth.net domains
  • Mobile (iOS and Android) applications
  • Remote Code Execution (RCE): able to execute arbitrary commands on a remote device
  • SQL Injection: able to read personal data (relating to an identified or identifiable natural person), health data, or other sensitive data
  • Server-Side Request Forgery (SSRF): able to pivot to an internal application or access credentials
  • Information Disclosure: leakage of personal data (relating to an identified or identifiable natural person), health data, or any sensitive data
  • Stored Cross-Site Scripting (XSS): stored XSS with access to non HttpOnly cookies
  • Subdomain Takeover
  • Cross-Site Request Forgery (CSRF): leading to account takeover
  • Insecure Direct Object Reference (IDOR): read or write access to sensitive data or necessary fields that you do not have permission to
  • Directory listings

The following issue types are out of scope. You can report them still; however, Ada does not guarantee you will receive a response for reports of these types. We generally ask for an exploit or proof of concept for these report types:

  • Security issues in third-party applications which Ada does not manage
  • Reports of non-exploitable vulnerabilities
  • Volumetric vulnerabilities (Restrict usage of automated tools to no more than ten requests/second)
  • TLS configuration weaknesses (e.g., TLS1.0 usage, sweet32, lucky SSL vulnerabilities, "weak" cipher suite support)
  • Missing security headers (e.g., Content-Security-Policy, X-Frame-Options, Feature-Policy, HTTP Strict Transport Security, HTTP Public Key Pinning, X-XSS-Protection, Referrer-Policy)
  • Email-related security configurations (e.g., SPF, DKIM, DMARC)
  • DNSSEC, DNS CAA configuration
  • API Token / OAuth secret recoverable in application binaries

Responsibilities

We ask that security researchers provide a non-destructive, non-damaging proof of exploitation. We also ask that security researchers do not publicly release the details of such issues until Ada has had sufficient time to review and mitigate the reported issues.

You must not break any applicable laws or regulations, including without limitation data protection laws and regulations such as the GDPR. Moreover, you must securely delete all data retrieved during your research as soon as it is no longer required.

Consequently, the following activities are NOT ALLOWED:

  • Violating data privacy rights, as protected under the GDPR
  • Publicly disclosing vulnerabilities
  • Copying, changing, or deleting data or systems
  • Causing damage, abuse, spamming
  • Placing malware or backdoors
  • Executing DoS or resource exhaustion attacks and causing interruption or impediment of services
  • Using Spam, Phishing, Vishing, Smishing, or other Social Engineering techniques
  • Brute-forcing credentials of users
  • Exposing, deleting or modifying personal data, as further defined and set forth under the GDPR

Communication and Reporting

Ada’s Information Security team, is committed to addressing all security issues in a responsible and timely manner. Please write your report in English and follow these steps to ensure it can be correctly responded to:

  1. Please submit a detailed description of the issue to us, along with the steps (screenshots or screen recordings are appreciated) to reproduce it. All reports should be sent to [email protected] and not copied to other email addresses. You can use our PGP key to encrypt your content, which can be found here: https://ada.com/.well-known/security.txt
  2. You will receive a verification reply email from us (usually within 2 business days of your report being sent). If you have not received an acknowledgement email within 7 business days of sending your report, please feel free to send a follow-up email.
  3. Vulnerability reports may take some time to triage and remediate. Please provide us a reasonable amount of time to resolve the issue before any disclosure to the public. Please ensure a minimum timeframe of 20 business days from the time of disclosure.
  4. We aim to inform you of any progression milestones as soon as possible. We may ask for your feedback or confirmation that our solution covers the vulnerability you reported.

Rewards, Bug Bounty, or Compensation

Ada Health does not guarantee any compensation for reporting security vulnerabilities through its vulnerability disclosure program. Any such requests for rewards, (either implicitly or explicitly in vulnerability marketplaces) will be considered a violation of this policy. However, Ada may, at its sole discretion, offer a gift or reward as thanks for your assistance in improving the security of Ada’s products and services.

We do, however, offer a paid bug bounty program for our application through the platform, Intigriti, which provides compensation ranging from 50€‎ to 5000€‎ depending on the scope and severity of the discovery.

We always value the contribution of security researchers who actively participate in identifying and reporting potential weaknesses.

Legalities

This policy does not permit security researchers to act in any manner that is inconsistent with legal or regulatory compliance requirements within the countries Ada operates or within the country the security researcher is located.