Tasso, Inc. Vulnerability Disclosure Policy

Introduction

Tasso, Inc. is committed to protecting the security of customer, patient, and internal business data. As part of this commitment, we encourage security researchers and others acting in good faith to report to us security vulnerabilities they have identified. Tasso maintains this Vulnerability Disclosure Policy to establish the types of vulnerability discovery activities we permit and prohibit, and how individuals should report vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers and others to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems. We can be reached via security@tassoinc.com for vulnerability reports, questions, or concerns. Please review the details of this policy prior to contacting us.

Authorization

If you make a good faith effort to comply with this policy when identifying and reporting a security vulnerability, then we will consider your activities to be authorized by Tasso and we will not recommend or pursue legal action related to those activities. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Requirements

When identifying and reporting a vulnerability to us, you agree to:

  • Notify us as soon as possible after you discover a real or potential security vulnerability.

  • Make every effort to avoid access to personal information (including personally identifiable information and protected health information), degradation of user experience, disruption to production systems, and destruction or manipulation of data.

  • Use exploits only to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.

  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. Note that the amount of time that is reasonable may depend on factors such as the nature and complexity of the vulnerability or relevant systems or the difficulty of reproducing the vulnerability.

  • Refrain from submitting a high volume of low-quality reports. Low-quality reports include (but are not limited to) those that provide only vague or generic information of a vulnerability.

  • Act in good faith in identifying the reporting the vulnerability. You agree not to intentionally harm Tasso, its employees, patients, or others. You agree not to attempt to ransom or extort us.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including but not limited to personal information, protected health information, financial information, or proprietary information or trade secrets of any party), you must stop your activities and notify us as soon as possible. Do not use an identified vulnerability to compromise or exfiltrate data, to establish command line access and/or persistence to any system, or to “pivot” to other systems.

If you encounter any sensitive information, including any personal information, then you agree to keep this sensitive information in strict confidence, to not use this information for any purpose other than to demonstrate the presence of a vulnerability, and to comply with Tasso’s requests to provide copies of and to permanently delete any and all sensitive information.

Test methods

The following test methods are not authorized:

  • Network denial-of-service (DoS or DDoS) tests or other tests that are reasonably likely to impair access to or damage a system or data;

  • Brute-force testing;

  • Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing;

  • Introducing malware to any Tasso systems

Scope

This policy applies to the following systems and services:

  • *.tassoinc.com

  • *.tassocare.com

Any service or system not expressly listed above, such as any connected or third-party services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors or other third parties fall outside of this policy’s scope and should be reported directly to the vendor according to their vulnerability disclosure or similar policy (if any). If you aren’t sure whether a system is in scope or not, then contact us at security@tassoinc.com before taking any actions to identify a vulnerability.

Reporting a vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Tasso Inc., then we may share your report with the owner of the product or service. We will not share your name or contact information without express permission.

We accept vulnerability reports at security@tassoinc.com. Reports may be submitted anonymously. If you share contact information, then we will acknowledge receipt of your report in a timely fashion. We encourage you to provide contact information so that we may work with you as needed to reproduce your activities and resolve the vulnerability.

At this time, we do not support PGP-encrypted emails. If you would like to communicate with us though a secure method, then please send us an initial email at security@tassoinc.com, and we will work with you to establish a secure communications channel. Please do not send us sensitive information, including personal information, identified during your activities unless we have asked you to do so.

What we would like to see from you

To help us triage and prioritize submissions, we recommend that your reports:

  • Describe the location the vulnerability was discovered and the potential impact of exploitation.

  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).

  • Be in English, if possible.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as promptly as we can:

  • We will acknowledge that your report has been received in a timely fashion.

  • We will do our best to confirm the existence of the vulnerability with you and will be as transparent as we can about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution. Please note that there may be limitations to the information we can provide you due to legal requirements, contractual obligations, or other considerations.

  • We will maintain an open dialogue to discuss issues as best we can.

Questions

Questions regarding this policy may be sent to security@tassoinc.com. We also invite you to contact us with suggestions for improving this policy.


Last Updated: This Security Vulnerability Policy was last updated on September 22, 2022.