INTRODUCTION

FlashAid respects the prospective Customer’s and Partner’s privacy along with understanding the gravity of the HealthCare Data and is therefore committed to maintain the security and integrity of the data as provide by the Customers.

Address: 13th Floor, B wing, Embassy 247, Lal Bahadur Shastri Marg, Gandhi Nagar, Vikhroli West, Mumbai, Maharashtra 400079

Phone number: 08045888838
E-mail: info@flashaid-in

We strive to protect our systems and data in accordance with advanced security practices and standards. While every effort is made to ensure that websites, mobile applications, and internal systems are protected, we welcome reports of vulnerability that could help improve the security, integrity, and privacy of our systems. We take the risk disclosure seriously and are committed to creating a safe and transparent risk reporting environment.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

AUTHORIZATION

If you make a conscientious effort to comply with this policy during your security research, we will assume that your research is authorized, we will work with you to understand and resolve the issue immediately, and FlashAid will not recommend or follow legal action related to your research.

GUIDELINES

Inform the Vulnerability as soon as possible after discovering the real security problem.

Make every effort to avoid privacy violations, reduce user experience, disrupt production processes, and corrupt or manipulate data.

Use exploitation only where necessary to ensure the existence of a risk. Do not use exploitation to compromise or filter data, establish continuous command line access, or use exploit circulation of other systems.

Give the Company, ample time to resolve the issue before exposing it to the public.

Do not intentionally compromise the privacy or safety of any user personnel or any third parties.

Do not intentionally compromise the intellectual property or other commercial or financial interests of any personnel or entities, or any third parties.

SCOPE RULES OF ENGAGEMENT

Security researchers must not:

• Test any system other than the systems set forth in the ‘Scope’ section above,
• Disclose vulnerability information anywhere except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ as mentioned hereinafter,
• Engage in physical testing of facilities or resources as mentioned under the Scope,
• Engage in social engineering,
• Send unsolicited electronic mail to HHS users, including “phishing” messages,
• Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
• Introduce malicious software,
• Test in a manner which could degrade the operation of HHS systems; or intentionally impair, disrupt, or disable HHS systems,
• Test third-party applications, websites, or services that integrate with or link to or from HHS systems,
• Delete, alter, share, retain, or destroy FlashAid data, or render FlashAid data inaccessible, or,
• Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Company systems, or “pivot” to other Company owned systems.

Security researchers may:

• View or store FlashAid non-public data only to the extent necessary to document the presence of a potential vulnerability.
• Security researchers must:
• Cease testing and notify us immediately upon discovery of a vulnerability,
• Cease testing and notify us immediately upon discovery of an exposure of non-public data, and,
• Purge any stored FlashAid non-public data upon reporting a vulnerability.

REPORTING A VULNERABILITY

We accept vulnerability reports at under the ambit of our Vulnerability Disclosure Policy. Reports may be submitted anonymously at [email protected]

The information provided under this policy will be used for security purposes only – to reduce or remedy the risk. If the findings include a new defect that affects all users of the product or service and not just FlashAid, we may share your report with Cybersecurity Cell, where it will be managed under their risk disclosure process. We will not share your name or contact information without our express consent.

By submitting the said report, the Reporter, indicates that one has read, understood, and agreed to the guidelines set out in this policy for conducting security surveys and exposing risks or indicators of risk associated with FlashAid information systems, and acknowledging that content and follow-up communications are stored as according to the Rules set under the Governing Laws.

In order to help us triage and prioritize submissions, we recommend that your reports:

Adhere to all legal terms and conditions outlined at https://www.flashaid-in/privacy-policy and the FlashAid Vulnerability Disclosure Policy.

Describe the vulnerability, where it was discovered, and the potential impact of exploitation.

Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).

DISCLOSURE

FlashAid is committed to fixing vulnerabilities over time. However, we recognize that public disclosure of risk in the absence of a readily available corrective action may increase compared to a decrease in risk. Accordingly, we require you to discontinue sharing information about exposure within 90 calendar days after you receive our receipt of your report. If you believe that others should be notified of the risks prior to the commencement of remedial action, we require you to plan in advance with us.

We may share vulnerability reports with the Cybersecurity Cell as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission.

ACKNOWLEDGMENTS

For FlashAid Vulnerability Disclosure Policy Program Acknowledgments please visit https://www.flashaid.in/privacy-policy

QUESTIONS

Questions regarding this policy may be sent to [email protected] We also invite you to contact us with suggestions for improving this policy.