Security & Vulnerability Disclosure
Coordinated vulnerability disclosure policy and security reporting
Owner & Contact
Owner / Operator
Spyface Tech Company, LLC (d/b/a "ClinicBooking")
30 N Gould St Ste N, Sheridan, WY 82801, USA
Contacts
Security: security@clinicbooking.com
Support: care@clinicbooking.com
Corporate: hello@spyface.com
On This Page
Overview & Scope
ClinicBooking is a global marketplace that helps patients discover and connect with independent clinics and clinicians. We are not a health care provider. This page explains our high-level security posture and our Coordinated Vulnerability Disclosure Policy (CVDP). It applies to ClinicBooking-controlled web properties and applications, unless a product-specific notice states otherwise.
HIPAA note: ClinicBooking is not a HIPAA "covered entity." Where we sign a Business Associate Agreement (BAA) with an enterprise customer or partner, additional security/notification obligations in that BAA will apply to that relationship.
Our Security Commitments
- We apply industry-standard safeguards designed to protect user data, and we continuously improve controls based on risk, threat modeling, and best practices.
- We operate a coordinated vulnerability disclosure program and welcome good-faith research reports.
- We investigate credible reports and remediate verified vulnerabilities consistent with severity and risk.
- We provide breach/incident notifications as required by applicable law and contracts.
Your Responsibilities
- Use strong, unique passwords and enable multi-factor authentication where offered.
- Keep your devices and browsers updated; log out on shared devices.
- Never share your account; report suspected account compromise immediately to security@clinicbooking.com.
Coordinated Vulnerability Disclosure (CVDP)
We encourage responsible, good-faith security research. If you believe you've found a vulnerability, please report it to us privately and give us reasonable time to remediate before public disclosure.
How to Report
- Email: security@clinicbooking.com (preferred)
- Subject:
[VULN REPORT] <brief title> - Include: affected URL/asset, detailed steps to reproduce, impact, proof-of-concept, your testing account/email, and any logs/screenshots. Do not include sensitive data (e.g., PHI/PII); redact where possible.
- Need encryption? Email us to request our PGP key.
In Scope (illustrative)
clinicbooking.com and subdomains controlled by ClinicBooking| Asset | Examples |
|---|---|
| Primary domains | clinicbooking.com and subdomains controlled by ClinicBooking |
| First-party web apps | Public site, logged-in dashboards, provider tools |
| Mobile applications | Official ClinicBooking iOS/Android apps (if published) |
Out of Scope (non-exhaustive)
| Category | Notes |
|---|---|
| Third-party services | Vendors, CDNs, processors not owned/controlled by ClinicBooking |
| Social media pages | Profiles on platforms we do not control |
| Denial of Service | Traffic floods, resource exhaustion, spam campaigns |
| Low-risk findings | Clickjacking on non-sensitive pages, missing SPF/DMARC alignment variants, disclosure of non-sensitive server headers |
Response Targets & SLAs
| Stage | Target | Details |
|---|---|---|
| Acknowledgement | Within 3 business days | We confirm receipt and start triage |
| Triage & Assessment | Within 10 business days | We assign severity (e.g., CVSS), validate scope, and advise next steps |
| Remediation | Depends on severity | Critical: aim ≤7 days; High: ≤30 days; Medium: ≤90 days; Low: best effort |
| Disclosure Coordination | By mutual agreement | We request reasonable time to patch before any public disclosure |
Bug bounties: We do not currently offer monetary rewards. At our discretion we may provide written thanks or researcher credit after remediation.
Incident Response & Breach Notification
We maintain internal incident response procedures including detection, containment, eradication, and recovery activities, followed by post-incident review. If a data breach occurs, we will notify affected parties and/or regulators as required by applicable law and any governing contracts (e.g., BAA, DPA). Timeframes and content of notices will follow legal requirements.
Technical Baselines (High Level)
- Encryption in transit: TLS 1.2+ for client and service communications, HSTS on primary domains.
- Encryption at rest: Industry-standard encryption for primary datastores and secrets management.
- Access controls: Least privilege, role-based access, MFA for privileged access where supported.
- Logging & monitoring: Centralized logging with alerting for key events; retention consistent with legal and operational needs.
- Vulnerability management: Routine scanning and patching cycle; risk-based prioritization.
- Backups & continuity: Backups for critical systems; periodic restore testing.
- Third-party risk: Vendor due diligence and contractual security/privacy commitments.
Note: We provide this high-level overview for transparency; it is not an exhaustive list of controls and may change without notice.
Testing Rules (Allowed & Prohibited)
- • Testing only on your own accounts or explicit test data
- • Non-destructive checks (e.g., reflected/stored XSS with harmless payloads, IDOR without data exfiltration)
- • Rate-limited, low-impact automated scanning
- • Accessing, modifying, or exfiltrating PHI/PII or production data
- • Privilege escalation via social engineering or phishing
- • DoS, DDoS, spam, brute force, resource exhaustion
- • Ransomware, backdoors, persistence, lateral movement
- • Physical intrusion, CCTV, tailgating, or eavesdropping
Allowed (Good-faith) | Prohibited |
|---|---|
|
|
Testing Rules (Quick Matrix)
| Rule | Summary |
|---|---|
| Use test data | Never access real user/medical records; redact any accidental exposure immediately |
| Be non-destructive | Do not disrupt services, degrade performance, or alter data |
| No social engineering | No phishing, vishing, SMiShing, or physical intrusion |
| Limit automation | Respect rate limits; avoid heavy scanning or credential-stuffing |
| Stay in scope | Only ClinicBooking-owned assets listed as in-scope |
Dependencies, SBOM & Third Parties
- We rely on reputable cloud/service providers and track material vulnerabilities affecting core dependencies.
- For enterprise customers, we may share security documentation or a component list/SBOM under NDA where appropriate.
- See our Data Processing Addendum for subprocessors and transfer terms.
Legal Safe Harbor & Disclaimers
Good-Faith Research Safe Harbor. If you comply with this policy, test within scope, avoid accessing/exfiltrating data, and promptly report findings to us, we will not pursue legal action under laws such as the Computer Fraud and Abuse Act (CFAA) or DMCA §1201. We reserve all rights if testing violates this policy or applicable law, or risks harm to users, systems, or data.
- No warranty: We provide this page "as is." Security is never absolute; residual risk remains.
- No bounty promise: Participation does not create an entitlement to payment, employment, or partnership.
- Privacy boundaries: Do not attempt to access PHI/PII; if encountered inadvertently, stop, redact, and notify us.
- Updates: We may update this policy at any time. Continued testing/reporting indicates acceptance of changes.
Security Contact
For vulnerability reports and urgent security matters, email security@clinicbooking.com.
For general support, email care@clinicbooking.com. Corporate inquiries: hello@spyface.com.