Security at Clarity
At Clarity, we prioritize the utmost safety and security of our customers' data. We highly appreciate contributions from our community to help identify vulnerabilities in our EHR, EMR, and Telemedicine solutions.
How to Report an Issue:
By accessing or using Clarity, you agree to be bound by these terms and conditions. If you do not agree with any part of these terms, you may not use Clarity.
If you come across an issue that falls outside our predefined scope, please reach out by emailing security@easecare.co.
Provide the following details:
- A summary of the issue and its potential impact.
- A breakdown of the steps to replicate the issue.
- Details about the environment you are using.
- Any available proof-of-concept code to exploit the vulnerability.
Upon receiving your email, our dedicated team will promptly investigate the reported issue. We'll keep you informed of the progress and may request additional details if necessary. Once resolved, we will update our valued customers.
We believe in recognizing your efforts; hence, for any valid vulnerabilities with a CVSS score of 4 or higher, we will reach out to express our gratitude with a financial reward.
Focus Areas:
- x Authentication bypass and privilege escalation.
- xExposure of personally identifiable information (PII).
- xAccess to data outside of the authenticated account.
- xSQL injection and remote command execution.
In Scope:
- https://easecare.co
- https://clarity.easecare.co
- https://clarity-api.easecare.co
- Clarity Zendesk, Intercom, Slack, GitHub, and Front apps.
- Clarity Desktop (macOS, Windows).
Out-of-Scope:
- Automated scanning of any kind.
- Social engineering, particularly involving Clarity employees.
- Denial of Service attacks.
- Attacks requiring physical access to the victim's computer.
- Theoretical attacks without proof of exploitability.
- Man-in-the-middle attacks.
- Clickjacking on pages with no sensitive actions.
- High-privilege users using a bug to sabotage/deface their own account.
- Logic bugs allowing an attacker to bypass limits on free accounts.
We Kindly Ask You:
- Only test vulnerabilities on your own account or with explicit permission.
- Make a good-faith effort to avoid privacy violations, data copying or destruction, and service interruption.
- If you gain remote access to our systems, refrain from expanding or elevating access to other servers.
- Do not make the vulnerability public before reporting it to us and provide adequate time for us to address the issue.
Safe Harbor:
Conducting activities in accordance with this policy is considered authorized. We will not initiate legal action against you. If third-party legal action arises, we will affirm that your actions align with this policy.