Maintaining the security, privacy, and integrity of our products is a high priority at Maven Clinic. Therefore, Maven Clinic appreciates the work of researchers in order to improve our security and/or privacy posture. We are committed to creating a safe, transparent environment to report vulnerabilities.
‍
If you believe you have found a security or privacy vulnerability that could impact Maven Clinic or our users, we encourage you to report this right away. We will investigate all legitimate reports and fix the problem as soon as we can. This policy outlines considerations and commitments for the disclosure of potential security vulnerabilities to Maven Clinic in a responsible manner.

Purpose

The main goal of our vulnerability disclosure policy is to help ensure that vulnerabilities are patched or fixed in a timely manner with the ultimate objective of securing our customers’ and users’ information. This policy is intended to give clear guidelines for reporting potentially unknown or harmful security vulnerabilities.

Security Researchers

Maven Clinic recognizes the positive contributions of security researchers and encourages the responsible and direct disclosure of potential security vulnerabilities to us. We accept vulnerability reports from all sources.

Our Commitments to Researchers

• We will maintain standard confidentiality in our communications with you.
• We will work with you to validate and respond to your disclosure.
• We will investigate and use all reasonable efforts to remediate validated issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.
• Maven Clinic reserves all of its legal rights in the event of non-compliance with this Policy, but it does not intend to pursue legal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy.

What We Ask of Researchers

• We request that you communicate information about potential security vulnerabilities in a responsible manner.  This means complying with all applicable laws and respecting the privacy of individuals. Your security research should also avoid degradation of our user’s experiences, disruption to systems, and destruction of data.
• We request that researchers provide sufficient technical detail and background necessary for our team to identify and validate reported issues.
• We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing vulnerabilities. 

Scope

This policy applies to the following systems and services:

• mavenclinic.com, and the following hostnames:

  • www.mavenclinic.com
  • Any other subdomain of mavenclinic.com and all customer applications are excluded from this policy.

• mavenpractitioners.com, and the following hostnames:

  • www.mavenpractitioners.com
  • Any other subdomain of mavenclinic.com and all customer applications are excluded from this policy.
• Mobile applications for iOS and Android

Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, please contact security@mavenclinic.com before starting your research.
‍
The following activities are explicitly out of scope of this policy.

• Compromising the integrity, availability, or confidentiality of non-public information in the possession of Maven Clinic.
• Failing to immediately delete/destroy sensitive information or personal data you may inadvertently access. 
• Publicly disclosing any potential vulnerability without the express written consent of Maven Clinic. 
• Intentionally or negligently causing a denial-of-service condition for any user beyond the researcher.
• Exploitation of any vulnerability which sends bulk unsolicited or unauthorized messages (spam).
• Posting, transmitting, uploading, or linking malware, viruses, or similar harmful software that could impact our services, products or customers or any other third party.
• Testing third-party websites, applications, or services that integrate with our services or products.
• Conducting social engineering (including phishing) of Maven Clinic employees, contractors, customers, or any other party.

We require researchers to contact us before engaging in research that may be inconsistent with or not addressed by this policy.  If in doubt, ask us before engaging in any specific action you think may go outside the bounds of this policy.

Reporting Potential Security Vulnerabilities

If you believe you have discovered a potential security vulnerability in any digital asset owned, operated, or maintained by Maven Clinic or a circumstance that could reasonably impact the security of our Company or our users, we encourage you to disclose this to us.  You may report potential security vulnerabilities to us by sending an email to security@mavenclinic.com using our optional PGP key below. Please provide all known information related to the suspected security vulnerability you are reporting.

Upon submission, we will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution, if any.
‍
While no type of vulnerability is explicitly out of the scope of this policy, researchers are asked to consider the attack scenario and exploitability associated with any potential security vulnerability submitted.

Public GPG Key

If you'd like to encrypt your communications with Maven Clinic, please use our PGP key below. All security-related emails from Maven Clinic will be signed with this key.

Document Change History