Clarify Medical is now Zerigo Health.

Vulnerability Disclosure

Date of Last Revision: 7/20/2022

Purpose

This policy aims to ensure a consistent and secure manner for persons to communicate suspected vulnerabilities of Zerigo products or services. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to Zerigo.

Scope

This Vulnerability Disclosure policy aims to ensure a consistent and secure manner in which individuals (e.g., security researchers) may communicate suspected vulnerability to Zerigo products or services. Zerigo is committed to continually improving our organization's security and, more specifically, our information assets security. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give permission to act in any manner that is inconsistent with the law, or which might cause the Zerigo or partner organizations to be in breach of any legal obligations. Under this policy, “research” means activities in which you:

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods

A researcher acting in good faith to discover, test and submit vulnerabilities or indicators of vulnerabilities are authorized provided testing activities are limited exclusively to:

The following test methods are not authorized:

Reporting a vulnerability

If you discover a vulnerability or suspected vulnerability, you must provide a report describing the vulnerability which includes:

Please send your report to security@zerigohealth.com

After you have submitted your report, Zerigo’s Cybersecurity team will respond to your report within five working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity.
Vulnerability reports might take some time to triage or address. You are welcome to inquire on the status but avoid doing so more than once every 14 days. This allows our teams to focus on the curative action.

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your reported vulnerability has been resolved, we welcome requests to disclose your report.
Zerigo would like to unify guidance to affected users, and coordinate any public release.