Details

HealthEquity Security Vulnerability Reporting

This section is for security researchers who are interested in reporting security vulnerabilities on the HealthEquity platform. We value the assistance of the security research community and encourage researchers or others to report any potential vulnerabilities in accordance with the guidelines below.

Safe Harbor

We will not pursue legal action against researchers who comply with the HealthEquity defined responsible disclosure process.

Reward / Compensation

HealthEquity does not operate a bug bounty program and makes no offer of reward or compensation. If you are the first to report a qualifying vulnerability and would like to be included in our Security Researcher Hall of Fame, please provide us with your name and a link for recognition.

Reporting Instructions

We will not pursue legal action against researchers who comply with the HealthEquity defined responsible disclosure process.

Email us at [email protected].

Report issues promptly and do not attempt to further exploit the system or its data once you have confirmed and documented the issue.
Include a detailed description of the vulnerability: tools utilized, target, processes, and results.
Do NOT include any sensitive/personal/non-public data samples; a description of such data is sufficient.

Acknowledgement and Response

When the HealthEquity Information Security Team receives a report, we will send an acknowledgement within three business days. Request(s) for further information may be sent as needed. After validation/verification of a vulnerability, additional communications will be sent through resolution.

Timeframe

HealthEquity will not negotiate in response to a threat (e.g., a threat of withholding, or threat of releasing the vulnerability to the public). However, we will work with you, and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public. We will not share names or contact data of security researchers unless given explicit consent.

External Vulnerability Reporting

Reporting of vulnerability information to other third parties or vendors will be determined at the discretion of HealthEquity.

Responsible Disclosure Guidelines

DO:

Do cease testing and report the vulnerability or exposure of non-public or sensitive data as quickly as is reasonably possible to [email protected], to minimize the risk of hostile actors finding or taking advantage of it.
Do provide sufficient information to reproduce the problem so we will be able to resolve it as quickly as possible. Usually, the IP (Internet Protocol) address or the URL (Universal Resource Locators) and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
Do limit testing to HealthEquity owned applications as defined in the 'In-Scope' section of this policy.
Do remove any non-public or sensitive data from your system that might have been obtained during testing.

DO NOT:

Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, making changes to the system, installing malicious software, or deleting or modifying other people's data.
Do not test third-party applications, websites, or services that integrate with, or link to or from HealthEquity systems.
Do not test in a manner which could degrade the operation of HealthEquity systems or intentionally impair, disrupt, or disable HealthEquity systems.
Do not build your own backdoor into a system, even if the intention is to demonstrate the vulnerability; doing so can cause additional damage and create unnecessary security risks.
Do not reveal the problem to others until it has been resolved.
Do not use attacks on physical security, social engineering, distributed denial of service, spam, phishing, or applications of third parties.
Do not include any sensitive/personal/non-public data samples in your report; a description of such data is sufficient.

In Scope

All publicly accessible domains, applications, and systems owned by HealthEquity and its subsidiaries. If you have any other information you would like to provide to our security team, please do so via the Reporting Instructions.

Out of Scope

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Vulnerabilities that require access to an already compromised user account (unless access to an account exposes other accounts).
Policies as opposed to implementations, such as email verification or password length or reuse.
Spam (unless a specific vulnerability leads to easily sending spam).
Missing security headers or 'best practices' (except if you are able to demonstrate a vulnerability that makes use of their absence).
Distributed Denial of Service attacks (DDoS).
Social engineering attacks.
Third party applications we make use of but do not control (e.g., a media library or social media service).

Security Researcher Hall of Fame

HealthEquity would like to publicly express our gratitude to the following security researchers for responsibly disclosing vulnerabilities and working with us to remediate them. We truly appreciate your remarkable efforts!

HealthEquity Security Vulnerability Reporting

Reporting Instructions

We will not pursue legal action against researchers who comply with the HealthEquity defined responsible disclosure process.

Report issues promptly and do not attempt to further exploit the system or its data once you have confirmed and documented the issue.

Include a detailed description of the vulnerability: tools utilized, target, processes, and results.

Do NOT include any sensitive/personal/non-public data samples; a description of such data is sufficient.

Acknowledgement and Response

Timeframe

Responsible Disclosure Guidelines

DO:

Do cease testing and report the vulnerability or exposure of non-public or sensitive data as quickly as is reasonably possible to [email protected], to minimize the risk of hostile actors finding or taking advantage of it.

Do provide sufficient information to reproduce the problem so we will be able to resolve it as quickly as possible. Usually, the IP (Internet Protocol) address or the URL (Universal Resource Locators) and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

Do limit testing to HealthEquity owned applications as defined in the 'In-Scope' section of this policy.

Do remove any non-public or sensitive data from your system that might have been obtained during testing.

DO NOT:

Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, making changes to the system, installing malicious software, or deleting or modifying other people's data.

Do not test third-party applications, websites, or services that integrate with, or link to or from HealthEquity systems.

Do not test in a manner which could degrade the operation of HealthEquity systems or intentionally impair, disrupt, or disable HealthEquity systems.

Do not build your own backdoor into a system, even if the intention is to demonstrate the vulnerability; doing so can cause additional damage and create unnecessary security risks.

Do not reveal the problem to others until it has been resolved.

Do not use attacks on physical security, social engineering, distributed denial of service, spam, phishing, or applications of third parties.

Do not include any sensitive/personal/non-public data samples in your report; a description of such data is sufficient.

Out of Scope

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Vulnerabilities that require access to an already compromised user account (unless access to an account exposes other accounts).

Policies as opposed to implementations, such as email verification or password length or reuse.

Spam (unless a specific vulnerability leads to easily sending spam).

Missing security headers or 'best practices' (except if you are able to demonstrate a vulnerability that makes use of their absence).

Distributed Denial of Service attacks (DDoS).

Social engineering attacks.

Third party applications we make use of but do not control (e.g., a media library or social media service).