Truemeds Vulnerability Disclosure Policy

1. Our Commitment

   At Truemeds, the safety and security of our platform and our user's data is of utmost importance. We welcome the contributions of the security research community in helping us identify and remediate vulnerabilities. If you believe you have discovered a security issue in our systems, applications or infrastructure, we encourage you to report it in accordance with this policy.

2. How to Report

   Email: security@truemeds.in

   Subject line: "Security Vulnerability Report" or "VDP Inquiry"

   IMPORTANT: When conducting security testing, include the request header x-security-truemeds: <mobile_number> in your testing traffic. This prevents our WAF from blocking your testing activity and confirms you're following the VDP.

   Required Information in Your Report

   • Reporter name (or pseudonym)
   • Contact email
   • Affected asset (URL, API endpoint, app version)
   • Vulnerability severity (use the severity matrix below)
   • Steps to reproduce / proof-of-concept
   • Impact summary (what could an attacker do? what data might be exposed?)
   • Supporting evidence (HTTP requests, screenshots, curl commands, etc)

3. Vulnerability Severity Classification

   Use this matrix to help classify your findings. This helps us triage faster.

   Severity	Definition	Examples
   Critical (P1)	Immediate risk to user data, system availability, or financial impact. Allows unauthorized access to patient/order data or system compromise.	Remote code execution, SQL injection exposing patient data, authentication bypass, cryptographic failures
   High (P2)	Significant security risk but requires additional steps or limited scope. Could lead to data exposure or system degradation.	Broken access control affecting specific user roles, sensitive information disclosure, insecure deserialization
   Medium (P3)	Moderate risk with limited impact or requiring specific conditions to exploit. May enable further attack chains.	XSS vulnerabilities, CSRF on non-sensitive actions, information disclosure of internal details, weak password policies
   Low (P4)	Minimal security impact. Typically informational or requires unlikely conditions to exploit.	Missing security headers, SSL/TLS configuration issues, outdated libraries without active exploitation, typos in documentation

4. Scope

   In-Scope

   • Public Truemeds domains and subdomains (e.g., *.truemeds.in and *.tmmumbai.in)
   • Public APIs used by our web or mobile applications
   • Production mobile applications (Android and iOS versions available on official app stores)
     • Android: Google Play Store
     • iOS: App Store
   • Customer-facing systems such as order management, prescription upload, and doctor portals

   Out of Scope

   • Internal systems (admin portals, internal tools) unless prior written permission is obtained
   • Third-party systems not owned or operated by Truemeds
   • Any type of Denial-of-Service (DoS) testing or performance testing
   • Social engineering, phishing, or physical security tests
   • Any testing that modifies, deletes, or exfiltrates real customer or patient data
   • Publicly disclosed vulnerabilities or vulnerabilities already reported by another researcher

   Uncertain about scope? Contact security@truemeds.in before testing. We'll clarify within 24 hours.

5. Safe Harbor and Legal Assurance

   Truemeds is committed to protecting good-faith security researchers. If you follow this policy and act responsibly, Truemeds will not pursue civil, criminal, or regulatory action against you for security research conducted under the scope of this VDP.

   Your Responsibilities

   • Comply with all applicable laws and regulations
   • Avoid accessing, copying, modifying, or deleting customer, patient, or order data beyond what's necessary to demonstrate the vulnerability
   • Limit testing to what's strictly necessary to identify and validate the vulnerability
   • Not disrupt or degrade our services or users' access
   • Report the vulnerability responsibly through this VDP before any public disclosure
   • Not publicly disclose the vulnerability without our written consent and sufficient time to remediate

   Limitations

   This safe-harbor protection does not apply to activity conducted in bad faith, that violates applicable law, or that causes harm to Truemeds or our users. Truemeds reserves the right to pursue legal action if good faith is not demonstrated.

6. Our Response Process and Timelines

   We are committed to acknowledging, triaging, and resolving vulnerabilities promptly.

   Response SLAs

   • Acknowledgement of report: within 24 hours
   • Initial triage decision:
     • Critical (P1): within 72 hours
     • High/Medium (P2-P3): within 5 business days
     • Low (P4): within 10 business days
   • Progress updates: At least one update every 2 weeks for active remediation

7. Duplicate and Competing Reports

   The first reporter wins.If we receive multiple reports of the same vulnerability, credit and recognition will go to the first valid report received. Subsequent reports will be acknowledged but not separately credited.

   Before reporting, search common vulnerability databases (CVE, NVD) to check if the issue is already publicly known. If it is, it's out of scope.

8. Disclosure and Recognition

   After we validate and fix the vulnerability, you may publish your findings after coordination with Truemeds. We request at least 90 days between initial notification and public disclosure to allow time for remediation and user updates.

   We will publicly thank you on our "Security Hall of Thanks" page (unless you prefer anonymity). We'll include your name/pseudonym, a brief description of the vulnerability class, and a link to your choice of website or social profile.
   Hall of Thanks: Coming soon at https://www.truemeds.in/security/hall-of-thanks

9. Rewards and Incentives

   At this stage, Truemeds does not offer monetary rewards. However, valid and impactful reports may receive:

   • Public recognition on our Hall of Thanks page
   • Exclusive Truemeds security research swag
   • Digital vouchers or credits toward Truemeds services

   As our program matures and scales, we plan to introduce a structured bug-bounty program with monetary rewards. Researchers who have contributed high-impact findings will be notified first.

10. Data Protection and Confidentiality
    • Truemeds may use information from your report to improve security, but will not publicly disclose your identity or details without consent
    • Truemeds will treat your report as confidential until remediation is complete
    • You will not share details of the vulnerability with third parties without our written consent

Acknowledgment

We deeply appreciate the efforts of the global security research community in helping us safeguard our customers' data and maintain trust in the Truemeds platform. Thank you for supporting responsible disclosure and working with us to make healthcare technology safer for everyone.