Vulnerability Disclosure Policy

Effective Date: 03-11-2025

Introduction

At Devi Prime Care, security and privacy are among our highest priorities. We are committed to protecting our systems, services, and users’ information by maintaining robust cybersecurity practices. This Vulnerability Disclosure Policy (VDP) defines how security researchers, ethical hackers, and members of the public can responsibly report potential security vulnerabilities or weaknesses found on www.deviprimecare.com, its related subdomains, mobile applications, or connected systems. Our goal is to work together with the security community to identify and mitigate vulnerabilities in a responsible, coordinated, and lawful manner.

Purpose

The purpose of this policy is to:

  • Encourage responsible reporting of potential security issues.
  • Protect both users and researchers by defining safe, transparent communication channels.
  • Allow Devi Prime Care to investigate, verify, and remediate reported vulnerabilities efficiently.
  • Align with national and international standards for Coordinated Vulnerability Disclosure (CVD).

Scope

This policy applies to:

  • The main website www.deviprimecare.com and all publicly accessible subdomains.
  • APIs, endpoints, and web applications owned and operated by Devi Prime Care.
  • Mobile applications or other digital platforms officially maintained by Devi Prime Care.
  • Network or infrastructure components that directly support these services.

Out of Scope

The following are out of scope and should not be tested or reported under this policy:

  • Third-party services or platforms not owned by Devi Prime Care (such as payment gateways, hosting providers, or embedded social media tools).
  • Denial of Service (DoS/DDoS) attacks or stress testing.
  • Physical security vulnerabilities.
  • Spam or social engineering attempts.
  • Automated scans or brute-force attacks that disrupt services.
  • Non-security related bugs (e.g., typos, design suggestions).

If you’re uncertain whether something is in scope, please email our security team before starting any testing.

Responsible Disclosure Principles

We ask all researchers and users to follow these responsible disclosure principles:

  1. Act in Good Faith — Report vulnerabilities responsibly without exploiting them or causing harm.
  2. No Unauthorized Access — Do not access, modify, or delete data that isn’t your own.
  3. No Service Disruption — Avoid testing that may degrade or interrupt Devi Prime Care services.
  4. Report Promptly — Report the vulnerability as soon as you discover it, following our reporting process.
  5. Confidentiality — Do not publicly disclose details until the issue has been resolved and coordinated with us.
  6. Respect Privacy — Never attempt to view, download, or share personal, health, or confidential data.

We appreciate reports submitted in good faith and do not pursue legal action against individuals who comply with these guidelines.

Reporting a Vulnerability

If you believe you have discovered a potential vulnerability, please report it securely using the following channels:

📧 Email Submission

Send your report to: contact@deviprimecare.com
Subject Line: Vulnerability Report – [Brief Description]

What to Include in Your Report

To help us assess and reproduce the issue efficiently, please include:

  • Summary of the vulnerability — a brief description of what you found.
  • Affected URL, endpoint, or component — e.g., “https://deviprimecare.com/contact.php”.
  • Steps to reproduce — detailed step-by-step explanation, including any sample payloads or proof-of-concept.
  • Impact assessment — describe what an attacker could do if the vulnerability were exploited.
  • Tools or methods used (for transparency).
  • Your contact information (for coordination and acknowledgment).

We recommend encrypting sensitive details using our PGP public key if available.

Coordinated Vulnerability Disclosure Process

Here’s how the disclosure and resolution process works:

  1. Acknowledgement
    • You’ll receive an acknowledgment email within 72 hours of submitting your report.
    • We may request additional details if necessary.
  2. Assessment & Validation
    • Our security team will review and validate your submission.
    • If the issue is verified, it will be prioritized based on severity and potential impact.
  3. Remediation
    • We will work internally (and with vendors if needed) to fix the vulnerability.
    • Fix timelines vary depending on complexity and severity but will follow CERT-In/CVD best practices.
  4. Notification & Credit
    • Once the issue is resolved, we will notify you and, if you wish, acknowledge your contribution on our Security Hall of Fame page.
    • Public disclosure should only happen after mutual agreement.
  5. Continuous Monitoring
    • We document and track all reports for analysis and future improvement.

Recognition and Hall of Fame

We greatly appreciate the efforts of ethical security researchers who help us improve.

If you report a valid, previously unknown vulnerability, we may — at our discretion — acknowledge your contribution publicly on our Security Researchers Hall of Fame page, including:

  • Your name or handle (if consented).
  • Date of discovery and short description of the issue.
  • Optional link to your professional page or profile.

While we currently do not offer monetary bounties, we plan to consider bug bounty programs in future.

Safe Harbor (Legal Protection for Researchers)

Devi Prime Care pledges not to initiate legal action against security researchers who:

  • Follow this Vulnerability Disclosure Policy in good faith;
  • Avoid accessing personal data or disrupting services; and
  • Provide a detailed, confidential report to our security team.

This Safe Harbor clause means we will not pursue legal consequences under:

  • Information Technology Act 2000 (India), including Sections 43 & 66 (cyber offenses),
  • Computer Misuse laws, or
  • Similar applicable cybersecurity legislation,

as long as actions are strictly for responsible testing and disclosure in line with this policy.

We may, however, take legal action against malicious or unethical actors who exploit or attempt to misuse vulnerabilities.

Severity Classification & Response Targets

Our triage process follows industry-standard CVSS (Common Vulnerability Scoring System) metrics.

SeverityTypical ExamplesTarget Response TimeTarget Fix Window
CriticalRemote code execution, privilege escalation, authentication bypass24 hrs7 days
HighSQL injection, data leakage, XSS on sensitive endpoints48 hrs15 days
MediumOpen redirects, minor misconfigurations, limited XSS72 hrs30 days
LowInformation disclosure, missing headers, weak password policy5 days45 days

We may adjust timeframes depending on business and operational risk factors.

What Not to Do

Please do not:

  • Access personal, confidential, or patient data.
  • Execute attacks that could harm data integrity or availability.
  • Conduct phishing or social engineering attacks on employees or partners.
  • Use automated scanning tools excessively.
  • Publicly share proof-of-concept exploits before patch confirmation.

Violating these conditions voids Safe Harbor protections.

Our Security Measures

Devi Prime Care employs multiple layers of protection to secure user data and systems, including:

  • Regular security audits and vulnerability scans.
  • Network firewalls, WAFs, and intrusion detection systems.
  • Data encryption in transit (TLS 1.3) and at rest (AES-256).
  • Strict access control and monitoring policies.
  • Incident Response Plan aligned with CERT-In Guidelines (2024) and ISO 27001:2022 standards.
  • Continuous monitoring of threat intelligence sources and emerging exploits.

Despite these measures, no system is fully immune from vulnerabilities. That’s why collaboration with the security community is essential.

Confidentiality and Privacy

All vulnerability reports will be handled confidentially.
We will not share identifying details of researchers without explicit consent.
We comply with our Privacy Statement in handling any personal data shared during the disclosure process.

Policy Updates

We review this Vulnerability Disclosure Policy annually or when significant changes occur in our infrastructure or legal framework.
Updated versions will be published on this page with a new “Last Updated” date.
Major updates will be communicated via our security channels or public announcement.

Contact Information

For all security-related inquiries, please reach out securely at:

Devi Prime Care – Security Team
📧 Email: security@deviprimecare.com
🌐 Website: https://www.deviprimecare.com
📬 Address: Residency Road, Chamkkada, Kollam, Kerala, India. PIN:691001

For emergencies or active exploitation reports, please mark your subject line as: “URGENT – Security Vulnerability – [Brief Description]”

Acknowledgment

We thank the global security community for their contributions to creating a safer internet and healthcare ecosystem. Your efforts help protect patient privacy, digital trust, and the integrity of modern online care systems.

Devi Prime Care values collaboration, transparency, and ethical hacking as essential components of a secure digital future.

⚙️ Quick Summary Table

TopicDetails
PurposeResponsible disclosure of vulnerabilities on deviprimecare.com
Contact Emailsecurity@deviprimecare.com
Response AcknowledgmentWithin 72 hours
ScopeWebsite, APIs, subdomains, mobile apps
Safe HarborNo legal action if researcher follows policy in good faith
RecognitionOptional acknowledgment in Hall of Fame
Severity LevelsCritical, High, Medium, Low (CVSS-based)
Out of ScopeThird-party systems, DoS, phishing, physical testing
Last Updated[Insert Date]

Closing Statement

Security is a shared responsibility. By reporting potential vulnerabilities responsibly, you play a vital role in keeping Devi Prime Care and its users safe. We deeply appreciate your cooperation, integrity, and professionalism in adhering to this Vulnerability Disclosure Policy.

End of Vulnerability Disclosure Policy