At WPS Health Solutions, we work hard to protect all data within our systems, applications, platforms, and services. We appreciate all well-intentioned persons who seek to help us in our mission to continually improve our security practices by conducting security research on our public-facing websites and applications and reporting all findings to WPS Information Security. All security research activities are subject to the WPS Vulnerability Disclosure Policy. This policy includes instructions for submitting vulnerabilities to WPS. You must abide by this policy at all times when conducting security research and reporting potential vulnerabilities in WPS public-facing websites and applications.
WPS is committed to ensuring the security of our customers and partners by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and reporting the same to WPS.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and restrictions on public disclosure of vulnerabilities.
We encourage security researchers to report vulnerabilities they’ve discovered as set out in this policy.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and WPS will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known to such third party.
Under this policy, “research” means activities in which you:
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify WPS immediately, and not disclose this data to anyone else.
All systems and services associated with WPS domains are in scope. Subdomains are considered within scope, if their parent domains are within scope. Additionally, any website published with a link to this policy shall be considered in scope. Vulnerabilities found in non-WPS systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system or endpoint is in scope or not, contact email@example.com before starting your research.
Security researchers must not:
Security researchers may:
Security researchers must:
We accept vulnerability reports at firstname.lastname@example.org. Reports may be submitted anonymously and will hold your information confidence if requested. Please include any information obtained regarding the vulnerability including:
Information submitted under this policy will be used for defensive purposes only—to mitigate or remediate vulnerabilities. We will not share your name or contact information without express permission.
By conducting security research on WPS systems, you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to WPS information systems. Further, by submitting a vulnerability disclosure to WPS, you consent to having the contents of the communication and follow-up communications stored on WPS systems.
In order to help us triage and prioritize submissions, we recommend that your reports:
WPS is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with WPS via email at email@example.com.
We may share vulnerability reports with any affected vendors or third parties. We will not share names or contact data of security researchers unless given explicit permission.
Questions regarding this policy may be sent to firstname.lastname@example.org. We also invite you to contact us with suggestions for improving this policy.