Security policy

Reporting security concerns to HealthUnlocked

If you have found a vulnerability within the HealthUnlocked platform please contact us at security@healthunlocked.com.

When disclosing a vulnerability we ask that you:

Let us know as soon as possible.
Test against accounts you have created rather than those of real users.
Provide information that allows us to fix the vulnerability before disclosing it to others. HTTP request/response captures or packet captures are very helpful.
Work together with us to fix it where possible

HealthUnlocked do not operate a bug bounty scheme with cash rewards, but we are happy to recognise the time and efforts of security researchers in our Security Hall of Fame, below. Vulnerability reports will always be acknowledged, however, we are a small team so we would appreciate your patience following your report submission.

Please be aware that we are not looking for any of the following:

Cross-site scripting (XSS) vulnerabilities unless you can show it causing a pop-up alert in the browser, and that it is exploitable by someone other than the user. Ideally, show the user's authentication cookie.
Cross-site request forgery (CSRF) vulnerabilities that do not demonstrate the third party causing the logged in victim to perform an action.
Vulnerabilities in third-party services, e.g. wordpress.com
Generic vulnerability scanner reports.

Security researcher hall of fame

Individuals who have responsibly disclosed vulnerabilities and worked with us to resolve them will be listed below, including any professional websites.

Samir Gondaliya (@SamirGondaliya6)
Li Chaohan Bon (https://www.linkedin.com/in/lichaohan-bon/)
Sergius Low Jun Kai (https://www.linkedin.com/in/low-jun-kai-sergius/)
Wen Bin KONG (@kongwenbin, https://linkedin.com/in/kongwenbin)
Chacko K Abraham (https://www.linkedin.com/in/chacko-k-abraham-a1118b5a/)
Shiv Sahni (https://in.linkedin.com/in/shivsahni)
Mohammed Israil (@mdisrail2468)
Vismit Sudhir Rakhecha(Druk) (https://linkedin.com/in/vismit-sudhir-rakhecha-76209523)
Pethuraj M (https://www.pethuraj.in/)
Vanshit Malhotra - Hackdoor India (@vanshitmalhotra)
Husnain Iqbal (https://hackerone.com/husnain02)
Praveen Kumar R (https://www.facebook.com/pkravichandran)
Jayesh Patel: BreachLock (https://www.breachlock.com)
Ajay Subhash Sawant (https://www.linkedin.com/in/ajay-sawant-9a9a35147)
Mahendra Purbia (https://instagram.com/mayankpurbiamahi_official)
Mirza Muhammad Fauzan (https://www.facebook.com/profile.php?id=100004054759339)
Pratik Dabhi (https://www.linkedin.com/in/pratikmdabhi)
Raju Kumar (@Mrcyberwarrior) (https://www.linkedin.com/in/raju-kumar-738756130/)
Swapnil Vijay Maurya (https://www.linkedin.com/in/swapnil-m-545b2010a)
Udhaya Praveen S (https://www.linkedin.com/in/udhaya-praveen-s-5a3a03172)
Vijay Balaji M (https://www.linkedin.com/in/vijay-balaji-20307a113)
Rafid Hasan Khan (https://www.linkedin.com/in/rafid-hasan-khan-713946149)
Kitab Ahmed
Ismail Tasdelen (https://www.linkedin.com/in/ismailtasdelen/)
Anurag Muley (https://www.linkedin.com/in/ianuragmuley/)
Darshit Badani (https://www.linkedin.com/in/darshit-badani/)
Pratik Dabhi (@impratikdabhi)
Sohail Shaikh (ROOTxDEAD) (https://www.linkedin.com/in/rootxdead)
Aniruddh Mistry (https://www.linkedin.com/in/aniruddh-mistry-b8540069)
Mohd Asif Khan (https://www.linkedin.com/in/mohd-asif-khan-✪-5228a9179)
Maksym Bendeberia (https://www.linkedin.com/in/max-websafety-ninja/)
Pranit Krishna Mandhare (https://instagram.com/pranit___007?igshid=1nwsow1txcoaa)
Saranya N (https://www.linkedin.com/in/saranya-n-106217197/)
Lokesh Goyal (http://linkedin.com/in/lokesh-goyal-79a147157)
Arshad U (https://www.linkedin.com/in/arshad-u-7a7045207/)
Tushar Bhosale (https://www.linkedin.com/in/tushar-bhosale-1b834422b/)

Thank you for taking the time and effort to responsibly disclose this information to HealthUnlocked.