Vulnerability Disclosure Program

Introduction

Star Health and Allied Insurance Company Ltd (Star Health) is committed to safeguarding our customer information and ensuring the security of our system. This policy is intended to give security researchers a clear guideline for conducting vulnerability discovery activity and to convey our preferences in how to submit discovered vulnerabilities.  

If the External Security Researchers (Researchers) discloses in good faith regarding the potential vulnerability in our systems, Star Health can work with them to prioritize remediation and secure our IT environment. Such Researchers will be rewarded with Bug Bounty only at the discretion of Star Health, for corroborating the potential vulnerabilities and addressing the issue responsibly.  

 

Definition 

“Research” means activities in which Researcher will notify Star Health as soon as possible regarding a real or potential security issue.   

“Researcher” is a person (“external security researcher”) who reports vulnerability to Star Health in good faith.  

 

Eligibility and Responsible Disclosure

Persons disqualified from the Program – Researcher cannot be:   

  • An employee of Star Health 
  • An employee of a contractor/vendor of Star Health or its subsidiaries or affiliates;  
  • A contractor/vendor/intermediaries of Star Health or its subsidiaries or affiliates;  
  • A family member of the employee of Star Health or its subsidiaries or affiliates or group company (defined for these purposes as including spouse, domestic partner, parent, legal guardian, legal ward, child, sibling, and individuals living in the same household).  

 

Security researchers shall: 

  • Sign a non-disclosure agreement (NDA) with Star Health and shall be bound by its provisions thereto.  
  • Cease testing and notify Star Health immediately upon discovery of a vulnerability, 
  • Cease testing and notify Star Health immediately upon discovery of an exposure of any data,  
  • Purge all data pertaining to Star Health and its customers stored in their system upon reporting a vulnerability and certify the same in writing to Star Health. 
  • Inadvertently accesses any Star Health’s customer data or any other Star Health’s data without consent while investigating an issue, the Research must promptly cease the same that might result in further access of the customer data or Star Health’s data and immediately notify Star Health about such information which was accessed (including a full description of the contents of the information). The Researcher shall in such cases acknowledge the inadvertent access in the Program report which the Researcher shall subsequently submit.   
  • View or store Star Health’s data only to the extent necessary to document the presence of a potential vulnerability. 

 

Security researchers shall not: 

  • Stress Test any systems, 
  • Disclose vulnerability information and keep it confidential, 
  • Engage in physical testing of facilities or resources, 
  • Engage in social engineering, 
  • Send unsolicited electronic mail to Star Health users or customers, including “phishing” messages, 
  • Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks, 
  • Introduce malicious software, 
  • Test in a manner which could degrade the operation of Star Health’s systems; or intentionally impair, disrupt, or disable Star Health’s systems, 
  • Interfere, access, modify or control the IT infrastructure including servers, website, applications etc. 
  • Test third-party applications, websites, or services that integrate with or link to or from Star Health’s systems, 
  • Delete, alter, share, retain, or destroy Star Health’s data including but not limited to downloading of sensitive and personal data of customers, or render Star Health’s data inaccessible, 
  • Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Star Health systems. 
  • Shall not interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit consent in writing. 
  • Violate any laws or regulations, including but not limited to Digital Personal Data Protection Act, 2023 (DPDPA), Insurance Regulatory and Development Authority of India (IRDAI), Information Technology, Act 2000 (IT Act) or any other prevailing and future laws. 
  • Exploit any security issue including any vulnerability, that the Researcher discovers, for any reason other than for testing purpose. 
  • Publish, reproduce or replicate any findings in public domain, without explicit written consent of Star Health.   

 

Vulnerability Reward Program 

As part of Star Health’s Vulnerability Reward Program (VRP), Star Health may recognise the efforts of such Researchers who have responsibly helped Star Health in ascertaining the vulnerabilities in Star Heath’s IT infrastructure based . The recognition in the form of Monetary Bounty (Bounty) will be at the discretion of Star Health based on risk, impact, number of vulnerable users, and other factors on a case by case basis.  

To be considered for VRP,  the following requirements must be fulfilled by the Researcher:  

  • Adhere to the Eligibility and Responsible Disclosure guideline specified above.  
  • Identify a vulnerability in Star Health’s IT environment which would pose a security or privacy risk and report such vulnerabilities upon discovery or as soon as is feasible to Star Health.  
  • Report a security bug involving the products or services which are only within the realm of “In Scope Vulnerability” mentioned below, however provided the products or services listed under "Out of scope Vulnerability" shall be excluded.    
  • Do not use automated scanners to scan Star Health’s web applications as this would result in IP blacklisting. 
  • Submit all queries for clarifications from Star Health before engaging in any action inconsistent or unaddressed in the above-mentioned guidelines.   

 

Star Health shall follow the below mentioned guidelines while evaluating the reports:  

  • Star Health shall investigate and respond to well-founded reports.  
  • Star Health reserves the right to publish reports (and accompanying updates).  
  • Star Health shall ensure that the Bounty is awarded as per the applicable laws and are paid only in compliance with applicable sanction compliance laws.  

 

In Scope Vulnerabilities  

Domain *.starhealth.in  

Android: Play Store Star Health owned android applications  

iOS: App Store Star Health owned iOS applications   

  • Cross-Site Scripting (XSS) include when an attacker stores malicious script in the data sent from a website's search or contact form. Stored XSS  
  • No-SQL/SQL Injection allow attackers to inject code into commands for databases that don't use SQL queries, such as MongoDB.  
  • XML External Entity is a type of custom XML entity whose defined values are loaded from outside of the DTD in which they are declared.  
  • Insecure JSON Deserialization is passing manipulated serialized objects that can be interpreted by the application leading to its control.       
    Remote Code Execution allow an attacker to remotely execute malicious code on a computer.  
  • Server-Side Request Forgery involves an attacker abusing server functionality to access or modify resources.  
  • Cross Site Request Forgery allows an attacker to induce users to perform actions that they do not intend to perform.  
  • Broken Authentication aim to take over one or more accounts giving the attacker the same privileges as the attacked user.   
  • Privilege Escalation act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.  
  • Business Logical Flaws are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior.  
  • Misuse/Unauthorized use of our APIs- refers to the act of wrong-handling of APIs, gaining unsanctioned access, and modifying the key functions  
  • Leaking customer's sensitive data  

Out of Scope Vulnerabilities – Web Applications  

  • Issues related to software/application not under Star Health’ s control or owned by any third party  
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)  
  • Missing security headers which do not lead directly to a vulnerability  
  • Clickjacking without an impact  
  • Text Injection/HTML Injection  
  • Broken Session Flaws  
  • Known-vulnerable library (without evidence of exploitability)  
  • Spam & rate limiting  
  • SSL/TLS protocol vulnerabilities  
  • Best practice concerns will be reviewed, but in general, we require evidence of exploitability  
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms   
  • The brute force which doesn’t lead to any bypass/disclosure   
  • Social engineering attacks  
  • Username/Mobile Number enumeration  
  • Any activity that could lead to the disruption of our service (DoS/DDoS)  
  • Private IP/Non-customer email ID disclosure  
  • Any other non-exploitable vulnerabilities  

Out of Scope Vulnerabilities - Android Applications  

  • Absence of certificate pinning  
  • Sensitive data stored in app private directory (which cannot be accessed by any other application)  
  • User data stored unencrypted on external storage  
  • Lack of binary protection control in android app  
  • Shared links leaked through the system clipboard  
  • Any URIs leaked because a malicious app has permission to view URIs opened  
  • Sensitive data in URLs/request bodies when protected by TLS  
  • Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receive       
    (exploiting these for sensitive data leakage is commonly in scope)  

Out of Scope Vulnerabilities - iOS Applications  

  • Absence of certificate pinning  
  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries  
  • Path disclosure in the binary  
  • User data stored unencrypted on the file system  
  • Lack of binary protection (anti-debugging) controls  
  • Lack of jailbreak detection   

 

Submitting a security issue / vulnerability   

The Researcher, before submitting a vulnerability report to Star Health, must read these guidelines and send an email to csirt@starhealth.in, preferably with “Security Issue – External Security Researcher” in the subject line. Once Star Health receives the report, Star Health’s security team will investigate the issue(s) and will respond to the Researcher at the earliest with triage of the issue and/or any additional requests for clarification. Due to high volume of reports, Star Health may require some additional time to respond. The Researcher can expect a response within 24 to 48 hours.  

Star Health shall try to keep the Researcher informed about the Researcher’s progress throughout the process.  

 

Summary   

  • The Researcher should responsibly disclose the vulnerabilities identified to Star Health. If in doubt, contact Star Health (csirt@starhealth.in) before engaging in activity which according to the Researcher may go outside the scope of this policy.  
  • Both identifying and non-identifying information may put Researcher at risk, therefore Star Health may limit sharing such information with third parties. Star may provide non-identifying substantive information from the Researcher’s report to an affected third party only after intimating the same to the Researcher. Such identifying information (name, email address, phone number, etc.) shall be shared with a third party only after getting a written permission from the Researcher.  
  • Star Health may share Researcher’s report or personally identifiable information without obtaining prior consent: 
    • if it is requested or required by law or by any court or governmental agency or authority to disclose, or for the prevention, detection, investigation including cyber incidents, or for prosecution and punishment of offences.   
    • to our statutory and other auditors, regulator, vendors engaged by Star Health for information technology and cyber security and Star Health’s group companies, affiliates and subsidiaries.