LifeLabs Vulnerability Disclosure Program Policy
This policy is intended to give security researchers and other participants in the security community clear guidelines under the LifeLabs Vulnerability Disclosure Program for conducting vulnerability discovery activities directed at web properties owned or operated by LifeLabs Inc., its affiliates, or subsidiaries (“LifeLabs”), and submitting discovered vulnerabilities to LifeLabs. Your participation in the program is voluntary and subject to the terms and conditions set forth on this page. By submitting a report, you acknowledge and agree to the terms and conditions contained in this Policy. You also acknowledge that, to the extent they are not inconsistent with this Policy; you are subject to:
Keeping our client’s information safe and secure is a top priority and a core concept that we continue to improve and evolve. The security community regularly makes valuable contributions to the security of organizations and LifeLabs recognizes that fostering a close relationship with the community will help improve our own security. So if you have information about a vulnerability in an LifeLabs system or web application, we want to hear from you!
Adding this new program to our overall security repertoire will further strengthen our security posture, improve services and more importantly, to keep our client’s information safe when using our services.
We invite researchers to test the LifeLabs’ website and Web Applications in line with the principles set out in this brief.
As part of this program, you must review, understand, and agree to the following terms and conditions before conducting any testing of LifeLabs networks and before submitting a report.
Please note we will not be accepting feedback outside this form.
Any public-facing system owned, operated, or controlled by LifeLabs, including web applications hosted on those sites.
- Your activities are limited exclusively to:
- Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
- Sharing with, or receiving from, LifeLabs information about a vulnerability or an indicator related to a vulnerability.
- You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- You avoid intentionally accessing the content of any communications, data, or information transiting or stored on LifeLabs information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- You do not exfiltrate, alter, or destroy any data under any circumstances.
- You do not compromise the privacy or safety of LifeLabs personnel or any third parties.
- You do not compromise the intellectual property or other commercial or financial interests of any LifeLabs personnel or entities, or any third parties.
- You do not publicly disclose or share with any third-party any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from LifeLabs.
- You do not conduct denial of service testing or other testing that impacts the availability of LifeLabs services.
- You do not conduct social engineering, including spear phishing, of LifeLabs personnel, contractors, customers.
- You do not attempt to gain physical access to any of our offices or data centers.
- You do not include any information that may identify an individual other than yourself (such as name, contact information, IP address, or other similar information) in your vulnerability report or any attachments thereto
- You do not submit a high-volume of low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with the Bugcrowd team at firstname.lastname@example.org
What You Can Expect From Us
LifeLabs remains committed to coordinating with you as openly and quickly as possible under the circumstances. We will investigate reports based on information available and may contact you for further information. Please note, reports marked as triaged are subject to change pending our team’s final analysis. We’ll try to keep you informed about our progress throughout the process.
You must comply with LifeLabs Terms of Service, security industry best practices, and all applicable Federal, Provincial, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program. You agree that any and all information acquired or accessed as part of this exercise is confidential to LifeLabs and you shall hold all such information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose such information to third parties or use such information for any purposes other than for the performance of your work or expressly authorized in writing by LifeLabs.
LifeLabs does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-LifeLabs entity (e.g., Federal departments or agencies; Provincial, local, or tribal governments; other private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-LifeLabs third party may independently determine whether to pursue legal action or remedies related to such activities.
By submitting a report to LifeLabs, you grant to LifeLabs Inc., its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of information or material submitted. You must notify us if any part of your report is not your own work or is the intellectual property of a third-party.
LifeLabs may modify the terms of this policy or terminate the policy at any time.