Last updated September 2023
THIS IS A LEGAL AGREEMENT. PLEASE READ THESE COORDINATED VULNERABILITY DISCLOSURE PROGRAM TERMS (“TERMS”) CAREFULLY. BY CHOOSING TO SUBMIT A POTENTIAL REPORT OF A SECURITY VULNERABILITY, YOU ARE INDICATING YOUR AGREEMENT TO BE BOUND BY THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS, YOU MAY NOT SUBMIT A REPORT. IF YOU ARE SUBMITTING A REPORT ON BEHALF OF YOUR EMPLOYER, YOU REPRESENT YOU HAVE AUTHORITY TO BIND YOUR EMPLOYER TO THESE TERMS. IN THAT CASE, ALL REFERENCES TO “YOU” WILL BE DEEMED TO INCLUDE YOUR EMPLOYER.
These Terms are subject to and governed by the Terms and Conditions of Use Policy and any additional or unique terms of use described for other Mayo Properties (as defined below). By submitting a report or by accessing or using any of the foregoing properties, you are indicating your agreement to be bound by those Policies and additional terms. Nothing in these Terms grants you the right to exceed the authorized uses or violate the restrictions permitted in those Policies and additional terms.
You may print a copy of these Terms using the print feature in your browser. You should be aware, however, that we may revise these Terms at any time, and by your submission of any later report, you are indicating your agreement to be bound by future revisions.
Introduction
Mayo Clinic (“Mayo Clinic” or “We”) takes information security issues seriously and welcomes feedback from researchers to improve the security of our products and services. We operate this coordinated disclosure program (the “Program”) to handle reports of security vulnerabilities and data disclosure issues.
We value those who take the time and effort to report security vulnerabilities according to these Terms. However, we do not operate a bug-bounty program or offer compensation, including monetary rewards, or attribution or recognition for vulnerability reports.
We may elect at any time, without notice and in our sole discretion, to modify or discontinue the Program.
Acceptable use
The Program is designed to be compatible with responsible disclosure practices for cybersecurity issues. However, it is essential that you follow all applicable laws, including anti-hacking and computer security laws, and engage in good faith while participating in the Program and conducting your security research.
If at any time you have concerns or are uncertain whether your security research is consistent with the Program, please submit a report through our official reporting email before going any further.
Conducting security research may cause harm, including downtime, to systems and networks under review. Unless specifically pre-approved in writing by an authorized representative of Mayo Clinic, you are responsible for all damages and harm resulting from your activities. Nothing in these Terms relieves you of liability for damage or harm caused to third party systems and networks. Conduct all security research activities with all due care. Given the sensitivity of the information that may be gained by your security research of Mayo Properties (as defined below), any information obtained, including the content of any report you submit, must be held in strictest confidence by you unless and until Mayo Clinic makes the resolved vulnerability public, as described below. Any other disclosure of the information will be deemed a breach of these Terms.
You may never remove employee, patient, or other personal data from Mayo Properties. Doing so will be deemed a breach of these Terms.
Scope
These Terms and the Program apply to any application, website, subdomain, software, or device manufactured by, owned, operated, or maintained by Mayo Clinic or its agents (collectively, “Mayo Properties”). It also applies to potential vulnerabilities, exposed data, or other information security issues that may affect any of the Mayo Properties.
An acceptable report includes vulnerabilities which meet the following conditions:
- They are valid, clearly explained, have not been previously reported, have not already been discovered by our own internal procedures, or mitigated by other controls.
- It can be demonstrated that there would be a real impact on Mayo Clinic, its patients, users, products or services and/or Mayo Properties, should the vulnerability reported be exploited by a malicious actor. The existence of a theoretical or unexploitable vulnerability does not necessarily demonstrate that a potential impact exists.
The following security issue reports are not in scope and will not be accepted:
- The results obtained from a scraper, crawler, spider, robot, or other automated scanner/tool.
- Reports indicating that our services may not align with industry “best practices.”
- Denial of Service (DoS) vulnerabilities exploitable by overwhelming a service with a high volume of requests.
- Social engineering.
- Self-XSS, CSRF, or CRLF attacks where the resulting impact is minimal.
Reporting
To report disclosures of Protected Health Information (PHI), review patients' privacy rights and Mayo Clinic's privacy practices outlined in the “Notice of Privacy Practices.”
If you have discovered a potential issue which you believe is an in-scope security vulnerability or non-PHI data disclosure, please email securitydisclosure@mayo.edu from a generally accepted email service and include the relevant information:
- The website, page, IP address, application, or device in which the vulnerability exists.
- A brief description, including the class (e.g., XSS vulnerability) and perceived impact of the vulnerability. Please avoid including details which would allow reproduction of the issue during this step.
We will review and may reply to credible submissions using a secure email encryption service requesting additional information such as:
- A detailed explanation of the vulnerability, including steps to reproduce the issue, browser/OS and/or application version used during testing. Also include non-destructive proof of concept code, payloads, and/or proof of exploitation where possible but do not include sensitive information in any submission (e.g., patient identifying information).
What to expect
When the report has been submitted, we will make every effort to respond promptly. After receiving any additional information, we intend to triage the valid submission to determine if the reported potential vulnerability has been previously identified, its potential impact, and if mitigations exist. From this point, necessary remediation work will be assigned to the appropriate Mayo Clinic teams and/or vendor/suppliers.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately. Once the vulnerability has been resolved, and if you wish to disclose your report, you must coordinate with Mayo Clinic prior to releasing a public notification of any verified vulnerability, if applicable.
You must always comply with data protection laws and regulations and refrain from infringing on the privacy of Mayo Clinic users, staff, contractors, products, or services. For example, you must not share, redistribute, or fail to adequately secure data that you retrieved from our products or services. Additionally, you must securely delete all data obtained during your research as soon as it is no longer required or within one month of the resolution of the vulnerability, whichever occurs earlier, unless data protection laws require otherwise.