Vivy welcomes the responsible disclosure of vulnerability reports from anyone who finds a security issue on our listed domains.
Vivy is a health assistant which aims to help our users live a healthier lifestyle. As health data is considered extremely sensitive data, Vivy looks forward to working with the security community to find security vulnerabilities in order to keep the health data of our users safe. Every report should be send to bugbounty [at] vivy.com
Program Rules • Please provide detailed reports with reproducible steps. • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. Vivy appreciates all support to keep the user data safe. However, Vivy asks the security community to please do not: • Violate any laws; • Socially engineer our employees, customer support team, insurance partners or doctors; • Access, modify, or reveal the account or data of Vivy customers; • Damage or compromise the integrity of our system; • Open disclosure without the consent of Vivy.
Out of scope vulnerabilities When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope: • Clickjacking on pages with no sensitive actions; • Unauthenticated/logout/login CSRF; • Attacks requiring MITM or physical access to a user's device; • Previously known vulnerable libraries without a working Proof of Concept; • Comma Separated Values (CSV) injection without demonstrating a vulnerability; • Missing best practices in SSL/TLS configuration; •Any activity that could lead to the disruption of our service (DoS); • Content spoofing and text injection issues without showing an attack; vector/without being able to modify HTML/CSS; • Best practice recommendations without a working Proof of Concept; • Missing http security headers without a working Proof of Concept of their absence; • Recently disclosed zero day vulnerabilities; • Headers which disclose server version information;Issues related to email spoofing; • Absence of CSRF attack without a working Proof of Concept; • Social engineering of our employee, customer support, insurance partner, or doctor.
Vivy backend is deployed almost every day, while the iOS and Android version is released bi-weekly.
Any activities conducted in a manner consistent with this policy will be considered as an authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Vivy and our users safe!