Book doctors, shop health and beauty products, and access trusted health content — in 110 languages. All in one place.

Your cart

Your cart is empty

Continue shopping

Vulnerability Disclosure Policy

Effective Date: 23/05/2025

At CliniciansCheck, we take the security of our systems and data seriously. We are committed to protecting the privacy and safety of our users, partners, clinicians, and patients.

This Vulnerability Disclosure Policy (VDP) provides a legal, structured way for independent researchers and the security community to report potential vulnerabilities responsibly.

1. Scope

This policy applies to:

  • All public-facing systems owned or operated by CliniciansCheck

  • The main website, platform interfaces, APIs, and authentication processes

  • Any digital properties under the Clinicians Check Limited domain

2. Our Commitment

If you report a valid security vulnerability in good faith, we will:

  • Acknowledge your report within 5 working days

  • Investigate the issue promptly

  • Take reasonable steps to resolve it

  • Credit you (with permission) if the issue leads to a fix

We will not pursue legal action against individuals who discover vulnerabilities in accordance with this policy and act responsibly.

3. How to Report a Vulnerability

Please send an email to:

operationsteam@clinicianscheck.com

Include:

  • A detailed description of the vulnerability

  • The URL(s), affected systems, or components

  • Steps to reproduce (e.g., screenshots, code, commands)

  • Your contact details (name, email, optional Twitter or GitHub)

  • Whether you would like public credit for discovery

Please use non-destructive methods and avoid accessing, modifying, or deleting any data that does not belong to you.

4. Responsible Disclosure Guidelines

To ensure responsible coordination:

Do:

  • Report the issue privately before disclosing publicly

  • Allow us reasonable time (typically 90 days) to fix the issue

  • Comply with applicable laws and avoid harming user data

Do not:

  • Exploit the vulnerability

  • Access user data or PII

  • Use automated scanning tools or denial-of-service testing

  • Disclose without consent if the issue hasn't been resolved

5. Out of Scope Vulnerabilities

While all reports are welcome, the following are generally considered out of scope:

  • Clickjacking on static pages

  • Rate-limiting issues without demonstrated impact

  • Missing best practices (e.g., SPF, DMARC) without direct risk

  • Social engineering or phishing against staff or users

6. Legal Safe Harbour

As long as your security research:

  • Is conducted in good faith

  • Avoids data exfiltration or damage

  • Complies with this policy

...then CliniciansCheck will not initiate legal action or involve law enforcement.

7. Policy Updates

This policy may be updated at any time. The current version will always be available on our website. We encourage researchers to check this page regularly for updates.