At TraceLink, we recognize the mission-critical nature of our software and our responsibility as custodians of our customers' information. We are fully committed to the security of our products and the protection of the data entrusted to us. By ensuring robust security measures, we help safeguard the integrity of the supply chain, ultimately supporting the delivery of the highest quality care to the patients our customers serve.
Authorization (Safe Harbor)
Good faith efforts to comply with this policy during research will be considered authorized research. Our commitment to the researcher is to understand the issues being reported and work to resolve the issue in a timely manner. Authorized research will not result in pursuing legal action, provided such authorized testing complies with the guidelines set forth herein.
Guidelines (Scope)
Research activities are required to:
- Notify TraceLink as soon as possible after discovering a real or potential security issue, or after discovering exposure of non-public data.
- Be actively seeking to avoid privacy violations, degradation of user experience, disruption of systems, and destruction or manipulation of non-test data.
- Be genuine security research and not findings directly originating from automated scanning tools.
- Be targeted against Validation or iTest environments where applicable. No Production environment should be used as the target for research activities (Please see scope below for associated URLs).
- Be obtainable through public means. No additional access will be provided to any individual for research activities beyond what such individual is able to access by self-enrolling.
Scope
| Application | URLs |
| OPUS Platform and Applications | (API) val-opus.tracelink.com |
| Track & Trace Services | (API) itestapi.tracelink.com (API) itestapi.eu1.tracelink.com |
| TraceLink Product SSO | sso.tracelink.com |
| Corporate Website | www.tracelink.com |
Out-of-Scope Vulnerabilities:
- Username / Email Enumeration
- Concurrent User Sessions
- Email Spoofing / SPF, DKIM or DMARC configuration
- Social Engineering
- Brute Force Attacks
- Denial of Service Attacks
- Missing cookie flags
- Missing security headers
- CORS misconfiguration against functionality without security impact
- Cross-site Request Forgery against non-sensitive functionality
- Presence of autocomplete attribute on web forms
- Reverse Tabnabbing
- Clickjacking without proven impact/unrealistic user interaction
- HTTP Request smuggling without security impact
- Banner grabbing/Version disclosure
- Verbose messages/files/directory listings without disclosing any sensitive information
- Third-party library vulnerabilities with no impact to TraceLink applications
- Automated Scanner Reports
- GrahpQL Introspection
- Weak Cipher without Exploitability
Reporting (Process)
Send an email to security-alerts [at] tracelink.com (security-alerts[at]tracelink[dot]com)
Reports containing sensitive information or non-public data exposure must be encrypted using the below GPG public key. Critical or high severity reports may also be encrypted using the following key.
https://www.tracelink.com/pgp-key.txt
Report Structure
Reports need to contain a detailed understanding of the vulnerability for TraceLink to properly validate. This should include the following information at a minimum:
- Description of Vulnerability
- Steps to Reproduce the Finding
- OWASP Risk Rating or CVSS (v3.1 or higher) Score and Metric Values
If steps to reproduce are not accurate or produce a different result than the description, additional details may be required. Arbitrary severity rating without one of the two mentioned risk rating methodologies will be treated as an Informational severity issue.
Disclosure
Disclosure of issues related to security research against TraceLink products must be in coordination with the TraceLink teams. This process will be handled in-line, with the reporting of the vulnerability, and following the confirmation of an issues remediation, a researcher may request the approval to publicly disclose the vulnerability, however the researcher must provide a copy to TraceLink for approval prior to any such release.
Acknowledgement
Acknowledgement may be provided to the security researcher in the form of a Letter of Gratitude for high and critical severity issues as determined by TraceLink. TraceLink Security will maintain internal tracking to provide validation in the event of seeking to utilize this letter for validation of security research expertise and experience.
TraceLink does not currently offer monetary awards or bounties for vulnerabilities.
Questions
Any questions or clarification needed with respect to this policy must be directed to security-alerts [at] tracelink.com (security-alerts[at]tracelink[dot]com). The lack of clarity around any directive mentioned in this policy must be addressed prior to any research activities.