🚀 We raised $15 million in Series B funding to simplify health benefits experience Learn more

Responsible Disclosure Policy

ekincare is an employee health benefits platform that provides health benefits to corporates. We are committed to ensuring the safety and security of the products and cloud services that we provide to customers.

If you have discovered a security issue that you believe we should know about, we'd welcome working with you.

Responsible disclosure policy guidelines:

If you believe that you found a security vulnerability in the application, please email it to security@ekincare.com

Please include the following information in your email submission

Title: Mention the type of vulnerability

Description: Description of the feature and path of the feature where you found the vulnerability

POC: Steps to reproduce the vulnerability(any scripts, screenshots, etc)

We will usually respond within 2-4 working days. If you do not receive any response from us, the issue may have already been reported or the information provided is not sufficient to identify the vulnerability. We request you to adhere to the guidelines of responsible disclosure, some of which are as follows:

  • Strictly avoid privacy violations, destruction of data, degradation of user experience, and disruption to production servers
  • Always test with the accounts you own
  • Avoid using automated scanning techniques and brute-force attacks
  • Please keep your disclosure confidential between yourself and ekincare

Out of Scope Vulnerabilities:

  • Clickjacking on pages with no sensitive actions
  • Presence of autocomplete attribute on web forms
  • CSRF on unauthenticated forms or functionality
  • Rate limiting on unauthenticated endpoints
  • Missing best practices in SSL/TLS configuration
  • Missing best practices in security headers such as Content Security Policy, HSTS, HttpOnly or secure flags in cookies
  • Missing email best practices such as missing SPF/DKIM/DMARC records, etc
  • Issues that require user interaction
  • Open redirect - without any impact on the application

Rewards & Recognition

To show our appreciation of responsible disclosure, ekincare will provide recognition and display your details on our "Hall of Fame" page or/and send some awesome swag your way! Here are some of the Hall of Fame standing types:

  1. Top Three of the Month
  2. First Vulnerability type reported
  3. First P1 reported/more P1s reported in the month