Security policy

Reporting security concerns to HealthUnlocked

If you have found a vulnerability within the HealthUnlocked platform please contact us at security@healthunlocked.com.
When disclosing a vulnerability we ask that you:
  • Let us know as soon as possible.
  • Test against accounts you have created rather than those of real users.
  • Provide information that allows us to fix the vulnerability before disclosing it to others. HTTP request/response captures or packet captures are very helpful.
  • Work together with us to fix it where possible
HealthUnlocked do not operate a bug bounty scheme with cash rewards, but we are happy to recognise the time and efforts of security researchers in our Security Hall of Fame, below. Vulnerability reports will always be acknowledged, however, we are a small team so we would appreciate your patience following your report submission.
Please be aware that we are not looking for any of the following:
  • Cross-site scripting (XSS) vulnerabilities unless you can show it causing a pop-up alert in the browser, and that it is exploitable by someone other than the user. Ideally, show the user's authentication cookie.
  • Reports on ineligible categories, such as DMARC/SPF/DKIM/MTA-STS, user/email enumeration, missing security headers (without a demonstrated attack path) and so on.
  • Cross-site request forgery (CSRF) vulnerabilities that do not demonstrate the third party causing the logged in victim to perform an action.
  • Vulnerabilities in third-party services, e.g. wordpress.com
  • Generic vulnerability scanner reports.
  • Reports about long lived huSessIDs, or cookies that persist for a long time, or appear to persist after logout (they do not, a new generic anonymous huSessID is immediately issued). This behaviour is intentional.

A working proof of concept with a demonstrated security impact is required. Don't just describe it, show us the impact. We require a working proof of concept that demonstrates a real exploit with a concrete security impact. If your report says something along the lines of "this could lead to...", but does not show what it does, then the submission is incomplete.

You need also to validate your submission. A false positive that is manually reviewed prior to submission prevents everyone's waste of time.

Security researcher hall of fame

Individuals who have responsibly disclosed vulnerabilities and worked with us to resolve them may be listed below, including any professional websites.

DISCLAIMER: HealthUnlocked is not responsible for the content of external sites.


  • Aditya Singh (https://www.linkedin.com/in/aditya-singh-b78111169/)
  • Ajay Subhash Sawant (https://www.linkedin.com/in/ajay-sawant-9a9a35147)
  • Aniruddh Mistry (https://www.linkedin.com/in/aniruddh-mistry-b8540069)
  • Anurag Muley (https://www.linkedin.com/in/ianuragmuley/)
  • Arshad U (https://www.linkedin.com/in/arshad-u-7a7045207/)
  • Chacko K Abraham (https://www.linkedin.com/in/chacko-k-abraham-a1118b5a/)
  • Darshit Badani (https://www.linkedin.com/in/darshit-badani/)
  • Husnain Iqbal (https://hackerone.com/husnain02)
  • Ismail Tasdelen (https://www.linkedin.com/in/ismailtasdelen/)
  • Jayesh Patel: BreachLock (https://www.breachlock.com)
  • Kitab Ahmed
  • Krish Gupta
  • Li Chaohan Bon (https://www.linkedin.com/in/lichaohan-bon/)
  • Lokesh Goyal (http://linkedin.com/in/lokesh-goyal-79a147157)
  • Mahendra Purbia (https://instagram.com/mayankpurbiamahi_official)
  • Maksym Bendeberia (https://www.linkedin.com/in/max-websafety-ninja/)
  • Mirza Muhammad Fauzan (https://www.facebook.com/profile.php?id=100004054759339)
  • Mohammed Israil (@mdisrail2468)
  • Mohd Asif Khan (https://www.linkedin.com/in/mohd-asif-khan-✪-5228a9179)
  • Pethuraj M (https://www.pethuraj.in/)
  • Pranit Krishna Mandhare (https://instagram.com/pranit___007?igshid=1nwsow1txcoaa)
  • Pratik Dabhi (@impratikdabhi)
  • Pratik Dabhi (https://www.linkedin.com/in/pratikmdabhi)
  • Praveen Kumar R (https://www.facebook.com/pkravichandran)
  • Rafid Hasan Khan (https://www.linkedin.com/in/rafid-hasan-khan-713946149)
  • Raju Kumar (@Mrcyberwarrior) (https://www.linkedin.com/in/raju-kumar-738756130/)
  • Samir Gondaliya (@SamirGondaliya6)
  • Saranya N (https://www.linkedin.com/in/saranya-n-106217197/)
  • Sergius Low Jun Kai (https://www.linkedin.com/in/low-jun-kai-sergius/)
  • Shiv Sahni (https://in.linkedin.com/in/shivsahni)
  • Sohail Shaikh (ROOTxDEAD) (https://www.linkedin.com/in/rootxdead)
  • Swapnil Vijay Maurya (https://www.linkedin.com/in/swapnil-m-545b2010a)
  • Tushar Bhosale (https://www.linkedin.com/in/tushar-bhosale-1b834422b/)
  • Udhaya Praveen S (https://www.linkedin.com/in/udhaya-praveen-s-5a3a03172)
  • Vanshit Malhotra - Hackdoor India (@vanshitmalhotra)
  • Vijay Balaji M (https://www.linkedin.com/in/vijay-balaji-20307a113)
  • Vismit Sudhir Rakhecha(Druk) (https://linkedin.com/in/vismit-sudhir-rakhecha-76209523)
  • Wen Bin KONG (@kongwenbin, https://linkedin.com/in/kongwenbin)

Thank you for taking the time and effort to responsibly disclose this information to HealthUnlocked.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us