Security Policy

The Student Doctor Network (SDN) is operated by the Health Professional Student Association (HPSA), https://www.hpsa.org. We take the security and privacy of our users very seriously. As such, we are always looking to enhance and improve the security of our websites. We thank you in advance for your contributions to our vulnerability disclosure program.

General Requirements

  • This Program is limited to exploitable security vulnerabilities and common vulnerabilities and exposures (CVE) found in our products, services, and websites.
  • CVE issues with browsers, WordPress, Xenforo, or other common software packages are not eligible. Those errors should be reported to their respective programmers or copyright holders.
  • Please do not test XenForo (forums) or WordPress (content management server) on our site. We license these commercial products. Instead, please contact WordPress or XenForo if you would like to provide CVE reports for their software.
  • We ask that users contact us to report any potential issues that they may discover in their use of those products.
  • Please do not cause slowdowns on our site! No heavy load or DDoS testing.
  • Absolutely no data loss or damage.
  • Errors should be reported through openbugbounty.
  • We are a small not-for-profit organization and can only afford to pay up to $10US per major CVE.

Testing Requirements

  • When submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains, or assets.
  • In researching a vulnerability, please do not cause harm to us (HPSA and/or SDN) or our users, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering, or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.
  • For the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.
  • This program will not accept findings that do not demonstrate any actionable vulnerability. Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information intended to be publicly accessed or otherwise does not present a real risk to our users or us.

Possible Awards

  • We offer a small bounty ($10US or less depending on severity) for newly discovered vulnerabilities and exposures.
  • CVE that we have previously identified are not eligible for this bounty. Please use OpenBugBounty.org to track existing and known vulnerabilities.
  • CVE issues with: browsers, WordPress, Xenforo, or other common software packages are not eligible. Those errors should be reported to their respective programmers or copyright holders.

Special Notes:

  • We aim to respond to all new vulnerability reports within 5 business days.
  • To protect our users, we do not publicly disclose or confirm security vulnerabilities until we have conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.
  • We follow common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same. This means allowing us the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.

Legal Notice

  • So that we may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to us, you grant to HPSA, its subsidiaries, and its affiliates a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material.
  • For similar reasons, you must notify us if any of this material is not your own work or is covered by others’ intellectual property rights. Not notifying us means that you’ve represented that no third-party intellectual property rights are involved.

Point of Contact