Security

Policy Owner: AgileMD Security Team
Effective Date: June 1, 2021

Introduction

AgileMD is committed to ensuring the security of our users and customers by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly, and AgileMD will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines

Under this policy, “research” means activities in which you:

Notify us as soon as possible after you discover a real or potential security issue.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods

The following test methods are not authorized:

Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing

Scope

This policy applies to the following systems and services:

www.agilemd.com
api.agilemd.com
demo.agilemd.com

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@agilemd.com before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time. While AgileMD does not yet have a formalized bug bounty program, we will financially reward high quality reports with respect to the severity of the issue.

Reporting a vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely AgileMD, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

We accept vulnerability reports via security@agilemd.com. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days. Please encrypt the contents of your report using our PGP public key listed below.

What we would like to see from you

In order to help us triage and prioritize submissions, we recommend that your reports:

Describe the location the vulnerability was discovered and the potential impact of exploitation.
Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
Be in English, if possible.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

Within 3 business days, we will acknowledge that your report has been received.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.

Questions

Questions regarding this policy may be sent to security@agilemd.com. We also invite you to contact us with suggestions for improving this policy.

PGP Public Key

AgileMD Security <security@agilemd.com>

‍

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGBTgJcBEACqzzk0CKYDa4ksKYDORZCdaUJuQRycEiAYSqcu/TBGLJdcUo7N wXugkdfWLHrrF5c8NAILs059+WIQH0d9Pf4kiNZGGqcCVQ52GCqIgFWi/PkPcQfG Z63vo4ie2orkbubf+X84b70r/kX2uDYHjqV/CMOUv+y3p390YaeoRqJ6SZVtETCf 9YWcV9aEB5VSQt24NPq2peVXzxUqQafBbr0iyuhntiiTqOKXVG3b06iYtzLyXICU oboH+KuwTVfsX+p86WuV4N0t4vCDI+6g0WEC1I+NEFDqRqd4tICgFsDpbt6cIJun z0PwC5JV8RjAJ14D90GjA2UVXbEc6BwAluHSAWdBuTCKNvtwi4VgKlWqZPqhXien 19sHryEBP4x8JZXL6eQLDtwts++fOkHrdKZfx2LLnzaHMvHTl7Rbsji486L0BTG9 bCeNiOJptIgLo9wqHsRrN8mZ8mmG72nSmcLnugTf4W30xTRDYZ5iF5+aWgvgL14r iBNm4VlUGTR9QzgRh/iynP1Ev7gcSCo56DwFjvNnc3GeKmC//8DRZfjBkvNKr+xw p5TPMZv17ju3gW8rj4hD/EimupT+jkg/v3Va0ektruH61p7krD/rD4JmMpQUl+kQ Cowz6GjaXLGG7AbGs8YOEBAUTVKDtsMKa9eI3aD1iQ7oYVH/c5YJ38ICvwARAQAB zSdBZ2lsZU1EIFNlY3VyaXR5IDxzZWN1cml0eUBhZ2lsZW1kLmNvbT7CwXoEEwEK ACQFAmBTgJcCGy8DCwkHAxUKCAIeAQIXgAMWAgECGQEFCQAAAAAACgkQ9VEGG+e/ CJGWMg/+KgQwRt1XEHoDAU2mzqwUSm4l1KTbegjxsmHfQU/K005j9PwnY6YeUGf6 RPA5fi3NPzZA/WcAP2M1+YxC8UWG0L+ZOcEGhqAI6MmomqF3uJIAfZoXrIy0K9uv Wej5d+5niH12Dm1AIGpTK56pXNcXIiYR7JMWrCoj3Rcx1G5laprC57D8OXYQSUct 5mVNhmpaxsRIa4BAPkE2c5HWgge+ycQQBM3wYWMN8pZuXooOK/1L1rryzTtInMH9 L+RP53pLYhhmwrBCie8UeN3Q0Hrky7KTjvRbKK/cKtvGsLwtVqyNrN62CwXdLA38 doVSrtgn9gyar5DVToKC2i57/heQf4ErFU/9qCm6OdPdShbInEVffYF0+x6NxuL9 BxfCQbMxKLWGc52pFSfB4PUV2tb0xv3pBHwSrQ3w3NKddY/hsttTsiTfZPA/wZVB 6OXihBDXNd8+5kcIqugAs+CjJClTW3Eq96Z1OzzENR9GEl1xgAStt7ka3iUOftbc JY1fNKVZT1Tok+reCQCEfV9BakwQlA4VwC+4NfTR1JaJ0K4Wk7f9lBXjmQgGaf3I +oA3HZc5S6YgQqjbz/ThnUSN7AtNB1ftXwSUNqdGopq/Et4SgMM2AtivwYscsNUq 6ZwX+pn9zOhkk0HD9kJU51ZxBPoLaYUiMUqrEeoN+/IdcccpKB3OwU0EYFOAlwEQ AMYE8eT5RAP6lnG+2OFMMMxAp4eoTQbWGj5CbH018UCj8jbsshAR0WHHftKQh6BD 2mZ4AhvL7HKf+A3IA5sB2FhDwH7NIlL4YHKGWIxiu9Y5lDbXfGmBXm2Rsxq7q8UJ ASWQEo9FTmgvFk43k2x8W6wQNGqSf1FS5WYI2efjzwUCtZUyTt1jG0c/6k3jhJx0 /8NGcL9LAVWqAc+rDTyK+ji/6UqMw8GJtpGGymtWYdJUUJyeV77eWlc3S6iqwDII uuzyvkEYfgzmV7lEbtXGgTbXGJVlefQIC08Ba//t1OV6K+AaGbpq7stCldiPeYry DXD1LH88DT/KWQ74SohrDnrUaygWbe8VB/bQW7f7bhxuk8my1w3dcyyq5OxLNGXx LEZcRhJCQS22iMO/X/YqfGmFCmk20VebvqSi7Qp+tuODRrrN5ZhYi1hXRnEW9G42 gXQVZKAzB9s/VCU7eQ8RvIsU8NO/ddSTHEp1i3agkbNEo4MSC+ijqwzGNd+LQDyF QXFvcoOroARv3lxbukFTIxmzGzmoKEWv1s90yS4q6OMo+BcnFCDF0SkD9NG5Spij vFKh9QBxUsGCTKRanTRhTFKq9ZaNOAEpRhyhSs78hBqfRjrpAY2UJyriLwlm7yAR /mrUMVyZ4giEVJnJKWg6QcunKg/4PP+IZQsnIiAOEUmDABEBAAHCw4QEGAEKAA8F AmBTgJcFCQAAAAACGy4CKQkQ9VEGG+e/CJHBXSAEGQEKAAYFAmBTgJcACgkQTvf+ Bs1sqDLiTxAAlL3gHh3+n+qxvrl4kuazcqQGPAyc296q0EC2xQRjKFsgzBkrOjYS xobXAuUkfLOQvdaK0A5cJ1SbOlnEKRXxHxRGZ/RuDk9MjtbMo+d70NUO2mkXe7b8 rbml4vEiutvAeFHDFJKOZmWRPw6PX9oUEHY0bdmiP71+eetsYX4/PkDK0m3rdzOi yW+KmX25/nrubFbYmSP30a87pwP1/L5YPfIt9RAHqYrgIo46X2JUXz27YFDzaU+b Nu7p3dYkUI/5Ftcc/MMfMbIWTB1sgxPOBup1IVZVhXEGiIzg7kj56Wv9j3suPMrl 09+i3xH8LZAVotPBbu8NYaWluL6dQVv3UthpzwxoQJTk45lYofI71zxdF2dxtuQe SwQD6tlAI02kmeTozhfBhblzvd6LgKTkX2kDyuNGeAeHenAfIz6dYSlM46rqNWr6 +0RdHgP96IE9JprP2YHPK6rixsMU/NPho/yt4qDZ1wcBKKNVvDel3Me6Uy/5tZid MimNyZBXBuDRBYm2Jk9O61QH4cgM2H04XFSn6CGhxvWwkx4X9tCi3KoIT+m4p5hV /5H+mbXsgeAzDRVXHreZv9SJZo3SFvtqX1Jhr/wNCy1S1vYNYGXpOrn2DJ6mSLfi AAvuJzJ3vYXqOso4t0e7j/vjBTBGWxoxPw+qnjbJ/Gt4Z9klJuPsa2TIKg/8DWzn +cOmWMWPcXFA/pOf9M8a6HcHya5/YvEVEERTW9kSTx2XX/N278DV+Q4oCTN5CfR6 eUC+S56oiAfBFUBPw1yOJ6f9tKbKOgAip9W7YfcLw5rbjqj7ISj43sC7od3lIHpV 53soousDQpyRbm+GjjyHjMz97myPC0e9ADmFldvix/dbcIm6tIFwklR71ztHZB4p M8gbimp04ZxE47DfZh2TyvuOH19/LjoPT7QpHme6t/tcPsRAXHcb/u+wQ1Th54YN HfmR1jbRLX9+G9JCxY0VTY9iNFRYc3C18sRKSVMfQ2Zbh8re/dyBng/y8AaRlW5W y+Cg2x4dCib8rYqizBGSIZNFF28ui//dgvlah9TDPCo9LMOgw1RIDTRt6ZA/tw8a aIZp5+j5nm+UAJOgJSMjNMmV12uCzOxoZBiQP7wy8qEs1XkCqZZYNClZs5pLZnY6 lAOiwLUclffQ1K0HQeldBxADqWjPzKcnsJnZc9ZycLjQhJvVrzJt10vAl/5XsICj Jn5qRKHyulE5p/mVWIvO0ktUEnxrkzCvvzEkOHZTjDP9PuRZD9uqXj55AJ5mQ5pS fahAad0ujx96eM5lPUBEMpBpaeLSUpbffgLlVoYvBklsWQwhkEsRrrH3O0MSNBRD v9DQcYGk2H1Pd0Hn8JH3dQokULwi1TET5ONu3HDOwU0EYFOAlwEQAM+s78yNfo6N 6BF34vromRkJ+eg5iLOB2JJQyMwzF36lFtBbaev/emF3x37vuOj8I+4OnQHGkt29 JgrXCm/U3jhIXoIPRHMYc4lIq9RcMFBfpDqUXnIzEw6GkN8otQB5EDtxOdF/kf2C FKLgPJsVo/nwroVWEQWLYlZzzkIxLebxc2fjsNKz5d0zGLHi8O0tI68znemiVX4n X4n8BxWVQOafWVY8yFXDO39OKkj8BgLWxs7S859R6ZBVNzeroJmDbntvR0dGnguw SIkk5Q40vDeQuI0CKr9SkMqsWGkCFZWD0SKVCG+TAvlHgwyAIItv+hlDid9I8QSP xsdZwn/R+IJyaydN9YIQKQYq9FvivfChLX43DWTgaGkdCDBh+MpXThiN1b/zLVfU HiyXNtxlgSzD1Q/SPSEJ+DGaaHIOLjOQdGFiHaK1NgMHwYmKVje6nlEbVBkb9NqJ w3KjygZnY3YIQFOGBI9IHbrmH3xtqa3LXT9HGAFHSY6WUURU+CgSK1C7VijsrXWq zUeNVvEXjlABGLosBXu0KFFRd+sjoPq144xxt7kiIk2o7ZVBpXg3k8DTASuKHY0e dxpGzoCyzdBOHtT1vRZNw4X0uFBUfCL5TWi8j8+QQFP8br8pvmpk0V3ReRVHrxz/ qmXwURTU+cqaTI0lz62BuPBnFLIZkvERABEBAAHCw4QEGAEKAA8FAmBTgJcFCQAA AAACGy4CKQkQ9VEGG+e/CJHBXSAEGQEKAAYFAmBTgJcACgkQYs/RQEg3f9lHeA/+ LXH5TkeauZ1wkP7c6tvKdObo/JJjXF8fw2CQCH5wr2GKBK1Bp+tkUZhrJil1SyE7 iXyTrLHFd3eROUnBudnwc6boFO+oc7HLpQYxZH4hfd8YUlhMTGorxvAWSUzLyAwh Qe1eGamkNYUcNyfQIvRoJzZoXYFpkV1dyAkE8AHhLjcPIlyr3Nk4g22txZf1sfIi xv6LA3FZqPdcnQv++FNxrVJfAbWSq9hMquIdPZUvGn+Lnet+vFuNdTK0cotT6D/e 2NrZ5r4b8cCR+UeItv6k9aFdF59J0pZOONMnOlt/UhRMt1n+s8lgxo89yZ1stEye uunxnb99Miw29ZR4kYSG3IxOEqcWGkqC3m280RcCSxFnpVq39kbaHnJ8NGGjvlmF 1SQ5cgfUgl5wEdcVLK2My7RRb0r2TCmV+x7pDbhiJxDi6ouVsQOl2hJyFUKRVFmU Vv1ELdOeAyctPfTUeV5j8t0dehneiUbX2dd7M4ZRt5c+/34P3OB8ocp21K+7eXjT Iu1DoU/cbWxc3picc4U1CxmIR/i/QTz0x40LpaQfvUOAmzNd+YxuQ6jjZM6R4g2/ oOmez0U6JWxaFqyEDiBBa6epVD4Q9vKTGSQQoWBbOVaO5u+5HNNqpTBNIA0W/L+j LQb6tx7oIm0xfb3xtFj1tQ79bkT+UclRqLX2tlD+3oNXIBAAm/m13kjpmJJRWtG/ LA2edEvLOPYWDooNHyUQp1GLILPktrNtt+PbBrfZQjZFtHU7vUbQUiUBio0BjvZO tNQqltVXU7vqJf5jAkctPL8TbElKVn6u2plaFS4u3qT09X/q3eEIBemXQxw/kX1S DtYe03po79dqvZLqrhvvgl+bc22ZnlpMS542HO7W3P0t3ReP0pFB5IyEYt2mUzs9 foNY64mbjjFpZ3UaZ3q6JBd/4voNFl2FamAamPdgQ8cKb4zvEtVM/sMxNT1fPVdm 8ln6HU8afu0Hq0uNbw7E+YBBDtBZcVnq7/8l/KBHbB0rt3h4gwOelxboDVHmpbbW VMaPxjWszQ7YP9LfD5tnxTS3LFTY6x5GhO7aLwPUkT344cYi/8uf4vQen2jsR/3y jnf7jiDjiW/qSogZavYSPPlKbkKtULVq2Bl6q2IPxPf1iPfjHQyq+d2C6VWmSdQR yPlmA500Oy0/EyBmiVn9WoBC74J2Fu5O+jbKQI68jfxZLZQwearyS8ah0g27z776 Qv/HmcYAX4u6b2nuX7jJ/v3h9QIoWfFsj803VNlNCGjMCocJUf5CGYyqwYfP0Y+T v5l547M2Tob6YedjqmN+xK9zJ3a2GLWeVAK7vdQzVE1kv8FgFGVsEop0/sWFK5nZ
3G5MuoCZ2jZPfcpL3zNc/eKWid4= =mqK7

-----END PGP PUBLIC KEY BLOCK-----

Vulnerability Disclosure Policy