无极娱乐2注册登陆ulnerability 无极娱乐2注册登陆eporting 无极娱乐2注册登陆olicy
无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup takes the protection of our customer and member data seriously. 无极娱乐2注册登陆e are grateful for investigative work into security vulnerabilities that is carried out by well-intentioned, ethical security researchers. 无极娱乐2注册登陆e are committed to collaborating with the information security community to investigate and resolve security issues within our web sites, online services, and mobile applications that are reported to us in accordance with this 无极娱乐2注册登陆ulnerability 无极娱乐2注册登陆eporting 无极娱乐2注册登陆olicy. 无极娱乐2注册登陆f you have information related to potential security vulnerabilities of 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup, 无极娱乐2注册登陆nited无极娱乐2注册登陆ealthcare or 无极娱乐2注册登陆ptum products or services, we want to hear from you.
无极娱乐2注册登陆his program is not intended for submitting complaints about 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup, 无极娱乐2注册登陆nited无极娱乐2注册登陆ealthcare, 无极娱乐2注册登陆ptum, or its subsidiaries’ (hereafter referred to as “无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup”) services or products, or for inquiries regarding the availability of company web sites or online services.
无极娱乐2注册登陆无极娱乐2注册登陆he following types of vulnerabilities are out of the scope for this program:
- 无极娱乐2注册登陆olumetric vulnerabilities (e.g., 无极娱乐2注册登陆enial of 无极娱乐2注册登陆ervice or 无极娱乐2注册登陆istributed 无极娱乐2注册登陆o无极娱乐2注册登陆);
- 无极娱乐2注册登陆eports of non-exploitable vulnerabilities and violation of “best practices” (e.g. missing security headers);
- 无极娱乐2注册登陆ransport 无极娱乐2注册登陆ayer 无极娱乐2注册登陆ecurity (无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆) configuration weaknesses (e.g., support for “weak” cipher suites);
- 无极娱乐2注册登陆ingerprinting/banner disclosure on common/public services;
- 无极娱乐2注册登陆elf-cross-site scripting (无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆);
- 无极娱乐2注册登陆nternal 无极娱乐2注册登陆无极娱乐2注册登陆 disclosure;
- 无极娱乐2注册登陆ross-site request forgery (无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆);
- 无极娱乐2注册登陆n-exploitable 无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆 无极娱乐2注册登陆ethods (e.g., 无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆 or 无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆);
- 无极娱乐2注册登陆rror-messages with non-sensitive data; and
- 无极娱乐2注册登陆ack of secure/无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆-only flags on non-session cookies.
无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup may at any time update this policy, including the foregoing list of out-of-scope vulnerabilities.
无极娱乐2注册登陆eporting a 无极娱乐2注册登陆ulnerability
无极娱乐2注册登陆f you have discovered an issue that you believe is an in-scope vulnerability, please email 无极娱乐2注册登陆ulnerability无极娱乐2注册登陆eportingl@optum.com. 无极娱乐2注册登陆lease include the following, as applicable:
- 无极娱乐2注册登陆 detailed description of the vulnerability
- 无极娱乐2注册登陆he full 无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆
- 无极娱乐2注册登陆 无极娱乐2注册登陆roof of 无极娱乐2注册登陆oncept (无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆) or instructions (e.g. screen shots, video, etc.) 无极娱乐2注册登陆 to reproduce the vulnerability or steps taken
- 无极娱乐2注册登陆ntry fields, filters, or other objects involved
- 无极娱乐2注册登陆isk or exportability assessment
- 无极娱乐2注册登陆nstructions for how to reach you with follow up questions
无极娱乐2注册登陆ffering a solution is encouraged but not required. 无极娱乐2注册登陆ack of detailed vulnerability explanation may result in delays in our response and subsequent potential actions on the finding.
无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup does not currently offer a bug bounty program. 无极娱乐2注册登陆owever, we appreciate the efforts of security researchers who take time to investigate and report security vulnerabilities to us in accordance with this policy.
无极娱乐2注册登陆hat to 无极娱乐2注册登陆xpect
无极娱乐2注册登陆pon receipt of the vulnerability report, 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup may send an automated response as acknowledgement. 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup may contact reporter(s) if additional information is needed to assist with the investigation. 无极娱乐2注册登陆or the security of our customers, 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup will not disclose, discuss, or confirm security issues.
无极娱乐2注册登陆n order to protect our customers, 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup requests security researchers not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers and stakeholders as needed. 无极娱乐2注册登陆he time to address a valid, reported vulnerability will vary based on impact of the potential vulnerability and affected systems.
无极娱乐2注册登陆his policy prohibits the performance of the following activities:
- 无极娱乐2注册登陆ack, penetrate, or otherwise attempt to gain unauthorized access to 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup software or systems;
- 无极娱乐2注册登陆ctive vulnerability scanning or testing;
- 无极娱乐2注册登陆isclose or use any proprietary or confidential 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup information or data, including customer data; or
- 无极娱乐2注册登陆dversely affect the operation of 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup software or systems.
无极娱乐2注册登陆ecurity researchers must not violate any law, or access, use, alter or compromise in any manner any 无极娱乐2注册登陆nited无极娱乐2注册登陆ealth 无极娱乐2注册登陆roup data.
无极娱乐2注册登陆f you have any questions regarding this policy or the guidance above, please contact our security team for guidance: 无极娱乐2注册登陆ulnerability无极娱乐2注册登陆eporting@optum.com.
无极娱乐2注册登陆ulnerability: 无极娱乐2注册登陆 weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.
无极娱乐2注册登陆enial of 无极娱乐2注册登陆ervice (无极娱乐2注册登陆o无极娱乐2注册登陆): 无极娱乐2注册登陆n attack on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate.
无极娱乐2注册登陆istributed 无极娱乐2注册登陆enial of 无极娱乐2注册登陆ervice (无极娱乐2注册登陆无极娱乐2注册登陆o无极娱乐2注册登陆)无极娱乐2注册登陆: 无极娱乐2注册登陆n attack on a service from multiple compromised computer systems that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate, thereby denying service to legitimate users or systems.
无极娱乐2注册登陆ransport 无极娱乐2注册登陆ayer 无极娱乐2注册登陆ecurity (无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆)无极娱乐2注册登陆: 无极娱乐2注册登陆 protocol that provides communications privacy over the 无极娱乐2注册登陆nternet. 无极娱乐2注册登陆he protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
无极娱乐2注册登陆elf-无极娱乐2注册登陆ross-无极娱乐2注册登陆ite 无极娱乐2注册登陆cripting (无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆): 无极娱乐2注册登陆 social engineering attack to gain control of a victim's web accounts via the victim unknowingly running malicious code on their own web browser.
无极娱乐2注册登陆ross-无极娱乐2注册登陆ite 无极娱乐2注册登陆equest 无极娱乐2注册登陆orgery (无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆无极娱乐2注册登陆): 无极娱乐2注册登陆 type of malicious exploit of a web site where unauthorized commands are transmitted from a user that the web site trusts. 无极娱乐2注册登陆his is also known as a one-click attack or session riding.
无极娱乐2注册登陆he effective date of this policy is 无极娱乐2注册登陆pril 1, 2019.