Vulnerability Disclosure Policy

Maintaining the security, privacy, and integrity of our products is a high priority at Maven Clinic. Therefore, Maven Clinic appreciates the work of researchers in order to improve our security and/or privacy posture. We are committed to creating a safe, transparent environment to report vulnerabilities.

If you believe you have found a security or privacy vulnerability that could impact Maven Clinic or our users, we encourage you to report this right away. We will investigate all legitimate reports and fix the problem as soon as we can. This policy outlines considerations and commitments for the disclosure of potential security vulnerabilities to Maven Clinic in a responsible manner.

Purpose

The main goal of our vulnerability disclosure policy is to help ensure that vulnerabilities are patched or fixed in a timely manner with the ultimate objective of securing our customers’ and users’ information. This policy is intended to give clear guidelines for reporting potentially unknown or harmful security vulnerabilities.

Security Researchers

Maven Clinic recognizes the positive contributions of security researchers and encourages the responsible and direct disclosure of potential security vulnerabilities to us. We accept vulnerability reports from all sources.

Our Commitments to Researchers

  • We will maintain standard confidentiality in our communications with you.
  • We will work with you to validate and respond to your disclosure.
  • We will investigate and use all reasonable efforts to remediate validated issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.
  • Maven Clinic reserves all of its legal rights in the event of non-compliance with this Policy, but it does not intend to pursue legal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy.

What We Ask of Researchers

  • We request that you communicate information about potential security vulnerabilities in a responsible manner.  This means complying with all applicable laws and respecting the privacy of individuals. Your security research should also avoid degradation of our user’s experiences, disruption to systems, and destruction of data.
  • We request that researchers provide sufficient technical detail and background necessary for our team to identify and validate reported issues.
  • We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing vulnerabilities. 

Scope

This policy applies to the following systems and services:

  • mavenclinic.com, and the following hostnames:

    • www.mavenclinic.com
    • Any other subdomain of mavenclinic.com and all customer applications are excluded from this policy.
  • mavenpractitioners.com, and the following hostnames:

    • www.mavenpractitioners.com
    • Any other subdomain of mavenclinic.com and all customer applications are excluded from this policy.
  • Mobile applications for iOS and Android

Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, please contact security@mavenclinic.com before starting your research.

The following activities are explicitly out of scope of this policy.

  • Compromising the integrity, availability, or confidentiality of non-public information in the possession of Maven Clinic.
  • Failing to immediately delete/destroy sensitive information or personal data you may inadvertently access. 
  • Publicly disclosing any potential vulnerability without the express written consent of Maven Clinic. 
  • Intentionally or negligently causing a denial-of-service condition for any user beyond the researcher.
  • Exploitation of any vulnerability which sends bulk unsolicited or unauthorized messages (spam).
  • Posting, transmitting, uploading, or linking malware, viruses, or similar harmful software that could impact our services, products or customers or any other third party.
  • Testing third-party websites, applications, or services that integrate with our services or products.
  • Conducting social engineering (including phishing) of Maven Clinic employees, contractors, customers, or any other party.

We require researchers to contact us before engaging in research that may be inconsistent with or not addressed by this policy.  If in doubt, ask us before engaging in any specific action you think may go outside the bounds of this policy.

Reporting Potential Security Vulnerabilities

If you believe you have discovered a potential security vulnerability in any digital asset owned, operated, or maintained by Maven Clinic or a circumstance that could reasonably impact the security of our Company or our users, we encourage you to disclose this to us.  You may report potential security vulnerabilities to us by sending an email to security@mavenclinic.com using our optional PGP key below. Please provide all known information related to the suspected security vulnerability you are reporting.

Upon submission, we will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution, if any.

While no type of vulnerability is explicitly out of the scope of this policy, researchers are asked to consider the attack scenario and exploitability associated with any potential security vulnerability submitted.

Public GPG Key

If you'd like to encrypt your communications with Maven Clinic, please use our PGP key below. All security-related emails from Maven Clinic will be signed with this key.

Key ID

F1F3AC55

Key Type

RSA

Key Size

4096

Fingerprint

56D3 807F 2E7F ADBD 1303 9EB1 5E27 4E75 F1F3 AC55

User ID

security@mavenclinic.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGFyuAIBEADoSDhufr4A7RyOHmKRExRh+52zxRtAPoPtytZcvm8ZjVODG4Nq 9ZRQetpR3j4dn4ZJbWYW2z9cfUx3PBoUTX6sW2NF43aOB9SDop4/m2omjoHMPpEp iDehvEOVxaLCzLnQ1xaBdmG44ij7GDGQpJIvRR8COzoxDX+nfa40efdMYFsjlaKJ 8MQoYUE6Z+CEOuHuCz5OFV+oqDF0u3sfiIIuF6m/glg9YWFPxYbpzB+xPq04EPwu 7daG+4eVoy/48cFMX83g3J9xI3/2ZUWv+iJSyTrxaoyVY8MmoUgSrY1PTdE9ykNF nBepG9+/eHeu72ES6lT+d3ueCNNUKb9noHl9Irxr+jF4Do1d5t5fW+ZBKgFQlBPd a0rmpmGD9+dW10tOppQMyuRDQiDXZiyZwTpae5H2b9c+BvuLrtJxFGGMCfqLOLWD rZ+5UglbJ9p+VWWefijtSMEDJl8uUe8UQtPAPlUlVXqo3rhBGPjI+jCSpbhvRWWY TIlLUeixdryS9h6aAl8GWe644hNdeepofY7yRDOXutAXTcT5sB96FCuxeZgKZMvV bvfdbezRfM+NF6R3iPjtYRodSLpCcZAvX0rT6bgS45GVlfADBVztJn5RtidfmtMi C0zJMUsISZhivMmgYoTFeog1uvaLhnW8cFuwx6O+mXM3y8g6oFYAuIa7zQARAQAB tDBNYXZlbiBDbGluaWMgU2VjdXJpdHkgPHNlY3VyaXR5QG1hdmVuY2xpbmljLmNv bT6JAlIEEwEIADwWIQRW04B/Ln+tvRMDnrFeJ0518fOsVQUCYXK4AgIbAwULCQgH AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQXidOdfHzrFW9pw/+N0+0eaibYRB6 TWd6dVL0G7SUQrlWZMYQmjXoOspX/ObvvH7BQ5T/1dIZZ5iRw+pKTrzHpJFOpRxj u4LEQRZO0BFRfVb9VdwRVOaoBwGkT+eYwUYpvZRLpEfTWpOmObpTMmVJfS/v4fw6 JAgvs5G0UVXxrw1nXtAFZ4/ynYvJDbMoIU5cNqOgrP65v6gkcPJAdpQs0ZPkpC9r tltnYpe+4vTqn1Y2DuRmaGeysHncWwrRxJPyQiLS/bzGH26e3YIAQBg7E7iGjrfr 6ZGdCzwpBd2p4noX6WwWTyALdZdnri7La8nDYJzhaF0Q67BAxS5cLMgmGZKUbHFg Azn2YPIiX+2/M6FM/MLuJwGA8VR4sdD3t4JqjMbg67hoLTRJ+xQhh8iBOQ5VLI1S 4tEBMMHd+NJRp01dCKJJlc75Dl/XtjElfZoEPOjVVvTcZjVKkKBTb8buTRVQyOpa UVVjtUQ6cACxq6siyxYt0/3wlvmdUBOLoxbiVDtpSAM1vZ/wjtonK3Wl2VUWGfsq EeMrZjQxO+Ec4eBzeLcGLMJqh8xOvKKWymtLqzD3vLh4sGgclGcitWEq+jq6j4TH 45kLTHJDiWarvpg3PQaVUucnE3Hz8ZLRbAJvLJeAj4dD2d7pWBXfK/RlnxvS+oHI hMF4idZ7lqPBtEXNc5TwROyrUERFOfa5Ag0EYXK4AgEQAMQIMQsjK69rOC27odsE gERGDGR3wq/bT2rRkgyuC13MxFeW9GPJDWUiTMuOzRwtaSi4YiBXjQv6HKFU/SoO cmdiXFtYY4w9nPPI57/MbGiozrbdc5q0HhxkA9MHJ2iU3ND09Lwy0AjubFH3miwM 4IluuG5RR/Ve3Uss7APRfXcTjELpdorFBLTEU/TJVEUc5W5fvFzzDj/zP5xVHoSy JM2Ed2uK/gzZEnmdCCv8paiU6GZuukkrYIdp48+DOBIx83rHm4vgbMBvxdzgjyPq 6zEHsi4ca9uuHLGh2Z5NW1cdCSZkeVYVFhxe2Fxjzj/RDyuSb1LSzCddr4cW5GwD ZcLY6TxMztWBZzQxKarp2lFzsc0heoUuKxceYgyx8EOH8j7eSUW0wo9J9KFJH6LF 7qvxA0rnfBSezw/Ee6xUJEdM0QQB29+TmZ+/Lq/OoQTJFiYyDAVk6nb6tj/3wn7W MN9URWh9OGmrJmtIPUfK7ghVo+5M1RyZa/t8j78vkh29ZgVrmD+Y1Nluzt4w2vji dKKvQCTEcAYBulIrKe6KbCD6eI++iaAM/Hne3RnSo11GM28a9E+1HPr0K7lKN9ir jtAV3S6CzZq2uKD7cJOPv9+Cz+kcI7FS/VUc5Ri6cWcDn0ju49jUf7xQBxmWves0 wmJsk7igWilZyOV7BXmc5ZY9ABEBAAGJAjYEGAEIACAWIQRW04B/Ln+tvRMDnrFe J0518fOsVQUCYXK4AgIbDAAKCRBeJ0518fOsVYcTD/9ny9mgJWRGF1HuDJ2VeGEX sZGNGuW2prqgwq9J5jA6HMepmFYxq4ulbmQguUTKNn4z7v/XBLrZEUiWo8qmqOQK edxEtwrmAOw6Tvcq56/JKktKwP8jGjlpUQ4X6C2tj/gBFNIugBAzqzLMlbuTJqaK 1upeOlVsnSlHNJDGtbeURtf4S8xyrSYq//NIfeFNBq62ij8CN603BDPL3umOKnpq 7wjTcWbp/sFOaNxlXOc3qcjhrfHx0x7lQrmX/s1sSxdGMQWtL0+xHgOr5UELUAu3 bfl1Kf2dfYCRVltl5j0K1cl9FxwU5HOo0YSL835THauEE1uTnQHUrLZPVQdlKtdA bWeb+3R1X6MlTUCwjwEg0YEf3+fjmw/6ZNbL00G3tjKlte9HkMqGLi++L9OqWfwI pElt+qi6QfsQKsB/YkEKm0ZIQpFlJ1Or+U+jbLTY1rgU1vk7VD0LUVXf1L4kNHiP aIiFDJs39Y5rplDTymHhvSV2UndTfkL5k+E2vcxHJ1qRpeaH5ZQ2bDjSk2e8iRZL klPiSTKR+MQJr6HC9j2ixaWmkiSy/z9qq5ToZKPKDWx/s3I/SZLDNrBsvoNVaU0u dcHJeVDXJPktURJH3Pv1MlI/ee/xImbnMSgDhFLQAsLxValGJ2sy4CchocUUCwNu so/1+7vhqN/ZxbbBS+xqvA== =eurC
-----END PGP PUBLIC KEY BLOCK-----

Document Change History

Version

Date

Description

1.0

December 01, 2021

First Issuance