Keeping Teladoc Health’s solutions secure
Have you discovered a security vulnerability in a Teladoc Health solution? Our Responsible Disclosure Process encompasses all Teladoc Health solutions, which include:
Teladoc Health brands or domains include: Teladoc Health; BetterHelp; BetterSleep; BestDoctors; myStrength; HealthiestYou; InTouch Health; Livongo; MédecinDirect; and VisitNow.
Teladoc Health’s cybersecurity team welcomes reports concerning vulnerabilities or security flaws in our services, such as the following:
- Weaknesses in mobile applications
- Unsecure connections with Teladoc Health services
- Code injection attacks
How to report a security issue
Please share your findings directly with Teladoc Health by submitting them to [email protected].
When reporting, please only provide one finding per report and clearly outline how the security flaw could be exploited. Provide pertinent details, including screenshots and a step-by-step explanation of the potential flaw. Please remember to include the exact date, time, and context of the vulnerability.
Compensation
Teladoc Health does not provide compensation for finding security vulnerabilities in its solutions. However, we are open to making recommendations to acknowledge meaningful contributions to Teladoc Health’s security.
What to report
Please follow the guidance below when reporting:
- Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), cease testing, and do not disclose this data to anyone else.
- Notify us promptly after discovering a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm the presence of a vulnerability. Avoid compromising or exfiltrating data, establishing persistent command line access, or using the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue before disclosing it publicly.
- Avoid submitting an excessive volume of low-quality reports.
- The test methods below are not authorized, and evidence of such activities will be investigated and addressed in accordance with Teladoc Health policies and procedures:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
If the Teladoc Health cybersecurity team has any questions, you will be contacted using the contact details you provide. Teladoc Health will work internally to address valid findings.
What to expect from us
- If you provide your contact information, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge the receipt of your report.
- To the best of our ability, we will confirm the vulnerability’s existence and, when appropriate, share the remediation process.