Introduction

HealthEquity, Inc. considers information security to be a primary responsibility – one that requires our highest priority. We take the security of our systems seriously - employing secure design and testing practices to protect the confidentiality, integrity, and availability of our applications, data, and systems.

This page is for security researchers who are interested in reporting security vulnerabilities on HealthEquity’s platform. We value the assistance of the security research community and encourage researchers or others to report any potential vulnerabilities in accordance with the guidelines below.

Safe Harbor

We will not pursue legal action against researchers who comply with HealthEquity’s defined responsible disclosure process.

Reward/ Compensation

HealthEquity does not operate a bug bounty program and makes no offer of reward or compensation. If you are the first to report a qualifying vulnerability and would like to be included in our Security Researcher Hall of Fame, please provide us with your name and a link for recognition.

Reporting Instructions

To report a potential vulnerability, please:

  • Email us at responsibledisclosure@healthequity.com.

  • Report issues promptly and do not attempt to further exploit the system or its data once you have confirmed and documented the issue.

  • Include a detailed description of the vulnerability: tools utilized, target, processes, and results.

  • Support your findings by attaching any pertinent artifacts used for discovery.

  • Do NOT include any sensitive/personal/non-public data samples, a description of such data is sufficient.

Acknowledgement and Response

When HealthEquity’s Information Security Team receives a report, we will send an acknowledgement within three business days. Request(s) for further information may be sent as needed. After validation/verification of a vulnerability, additional communications will be sent through resolution.

Timeframe

HealthEquity will not negotiate in response to a threat (e.g., a threat of withholding, or threat of releasing the vulnerability to the public). However we will work with you, and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public.

External Vulnerability Reporting

Reporting of vulnerability information to other third parties or vendors will be determined at the discretion of HealthEquity.

Responsible Disclosure Guidelines

DO:

  • Do report the vulnerability as quickly as is reasonably possible to responsibledisclosure@healthequity.com, to minimize the risk of hostile actors finding or taking advantage of it.

  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP (Internet Protocol) address or the URL (Universal Resource Locators) of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

  • Do limit testing to HealthEquity owned applications as defined in the ‘In-Scope’ section of this policy.

  • Do remove any non-public or sensitive data from your system that might have been obtained during testing.

DO NOT:

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, making changes to the system, installing malicious software, or deleting or modifying other people’s data.

  • Do not build your own backdoor into a system, even if the intention is to demonstrate the vulnerability; doing so can cause additional damage and create unnecessary security risks.

  • Do not reveal the problem to others until it has been resolved.

  • Do not use attacks on physical security, social engineering, distributed denial of service, spam, phishing, or applications of third parties.

  • Do not include any sensitive/personal/non-public data samples in your report, a description of such data is sufficient.

In-Scope

All publicly accessible domains, applications, and systems owned by HealthEquity and its subsidiaries.

If you have any other information you would like to provide to our security team, please do so via the Reporting Instructions.

Out of Scope

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Vulnerabilities that require access to an already compromised user account (unless access to an account exposes other accounts).

  • Policies as opposed to implementations, such as email verification or password length or reuse.

  • Spam (unless a specific vulnerability leads to easily sending spam).

  • Missing security headers or ‘best practices’ (except if you are able to demonstrate a vulnerability that makes use of their absence).

  • Distributed Denial of Service attacks (DDoS).

  • Social engineering attacks.

  • Third party applications we make use of but do not control (i.e., a media library or social media service).

Security Researcher Hall of Fame

HealthEquity would like to publicly express our gratitude to the following security researchers for responsibly disclosing vulnerabilities and working with us to remediate them. We truly appreciate your remarkable efforts!