Vulnerability Disclosure Program

We take our patients' data security seriously, continuing to implement robust processes for patient safety. Eucalyptus encourages external security researchers to confidentially submit to us their research findings concerning potential security vulnerabilities within Eucalyptus’ systems referred to below. We appreciate the assistance of the security community and by submitting findings to us you agree with the terms and conditions on this page. We will take appropriate steps to review any vulnerability report. We do not provide compensation for reports of potential or verified vulnerabilities. If unsure on any details or whether an item is in scope, please contact security+vdp@eucalyptus.vc.

Scope


We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.

This covers the following Eucalyptus domains:

  • eucalyptus.vc
  • eucalyptus.health
  • euc.health
  • euc.studio
  • compound.co
  • compound.health
  • compound.healthcare
  • dcoded.health
  • decodedhealth.co
  • jennycraig.com.au
  • jennycraig.nz
  • kinfertility.com
  • kinfertility.com.au
  • myjuniper.com
  • myjuniper.co.uk
  • myjuniper.jp
  • pilotclinic.jp
  • pilot.com.au
  • skin.software
  • software.skin

Out of scope

  • Clickjacking.
  • Self-exploitation issues (i.e. Self XSS, cookie reuse, self DoS).
  • Missing security headers.
  • Disclosure of known public files or directories.
  • Lack of Secure or HTTP Only flags on non-sensitive cookies.
  • Usage of a known vulnerable library or framework without a valid attack scenario.
  • Automated vulnerability scan reports.
  • Weak or insecure SSL ciphers or certificates.
  • Social engineering or phishing.
  • Denial of Service (DoS) or any availability attacks.
  • Physical attacks.
  • Application or websites controlled by a third party.
  • Accessing or attempting to access accounts or data that does not belong to you.
  • Attempts to modify or destroy data.
  • Exfiltrating any data under any circumstances.
  • Any activity that violates any law.

How to report a vulnerability


To report a vulnerability, email security+vdp@eucalyptus.vc.

Please include as much information as possible, such as:

  • Any Proof of Concept (PoC) or exploit code required to reproduce.
  • Steps to reproduce.
  • Explanation of the vulnerability.

Do not disclose to anyone else the vulnerability that you have reported to us until we have told you that we have investigated and/or mitigated the vulnerability. In particular, do not publish research concerning the vulnerability until we contact you. We will need time to validate your findings, investigate, and if necessary, mitigate the vulnerability.

More information about how Eucalyptus uses personal and other information collected is outlined in our privacy policy.


Next steps


We will:

  • Contact you within five business days of receiving a report if we determine that the report is accurate and in-scope.
  • Tell you when public disclosure can occur (if the reported vulnerability is verified).