Responsible disclosure

Introduction

We would like to express our sincere thanks for the submission of a potential security vulnerability in our systems. Your efforts in contributing to a more secure digital environment are highly valued by the team here at Doctena.

At Doctena we take the security of our systems seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that researchers:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent access, or use the exploit for any other purpose.
• Provide us with a reasonable amount of time to fix the issue before publishing it elsewhere.
• Follow the laws applicable in your location and the location of Doctena.

Scope

This policy applies to the following types of security vulnerabilities on any Doctena production surface:

• Authentication bypass
• Authorisation bypass
• Insecure direct object references (IDOR)
• Business logic flaws and injections (SQLi)
• Remote code execution (RCE)
• Local file access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
• CORS misconfigurations with real security impact
• Personal data leakage
• Secret or credential data leakage

Reporting a vulnerability

Submit vulnerabilities through our intake form. The form routes to the on-call security engineer and acknowledgement is logged automatically.

Reports should include:

• A detailed description of the issue and its potential impact.
• Steps to reproduce, ideally with a short video.
• A proof of concept.
• Your assessment of the vulnerability's severity, including a CVSS score where possible.

Researchers can also discover this policy through our /.well-known/security.txt (RFC 9116).

Rewards

Rewards for eligible vulnerabilities are based on severity, which we determine from the information you provide and our own assessment. The reward applies only to the first reporter of a vulnerability; duplicate reports will not be rewarded.

In the interim, we kindly request that you maintain the confidentiality of the details of the reported vulnerability. This precautionary measure is vital to prevent potential misuse and provides us with the time required to implement the necessary fixes.

Exclusions

While we encourage any submission that describes a security vulnerability in our services, the following types of submissions are excluded from eligibility:

• Anything that has already been reported or identified, for which we will show proof if you submit a duplicate.
• Any hypothetical flaw or best practice without an exploitable proof of concept or demonstrated possibility to exploit.
• Reports of missing "best practices" or other guidelines that do not indicate a real security vulnerability or exploitation path.
• Security issues in third-party applications, services or dependencies that integrate with Doctena products or infrastructure and that do not have a demonstrable proof of concept for actual exploitation (libraries, SaaS services, etc.).
• Denial-of-service attacks.
• Clickjacking.

Legal

Acknowledgements

We recognise the importance of the security community and appreciate your interest in helping us keep Doctena safe for everyone. We want to express our gratitude for your contribution. Your diligence in discovering and reporting any potential vulnerability underscores a level of professionalism and commitment to the security community that we deeply respect.