Vulnerability Disclosure Policy (VDP)

Introduction

The SWICA Health Organisation is one of the leading health and accident insurance companies in Switzerland.

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

If you start with any action or research related to disclosing vulnerabilities of our systems we will assume that you have read and accepted this policy in advance. We also provide you with the following link where you can find this policy and more information about vulnerability disclosure testing if you have found this document elsewhere: https://www.swica.ch/.well-known/security.txt.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

Safe Harbor

Before participating, we advise you to check the legal situation in your country and ensure that it is permitted to participate in our VDP.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized and we will work with you to understand and resolve the issue quickly.
SWICA acknowledges that activities of participants who comply with this policy may still potentially conflict with certain provisions of the Swiss Criminal Law (StGB), including Articles 143, 143bis, and 144bis. However, we commit to interpreting such activities as authorized access within the scope of our organization's systems and data. We will not pursue legal action against security researchers who adhere to this policy and will advocate on their behalf should legal issues arise.
Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

Guidelines

Under this policy, “research“ means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue.
• Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Confidentiality obligations

You acknowledge that by participating in the SWICA VDP you are subject to contractual and legal confidentiality obligations. You are obliged to keep any sensitive data confidential that you may discover when participating in the SWICA VDP, in particular information about the vulnerability, the exploitation technique and critical data (e.g client identifying data, other personal data, business and trade secrets or any security related critical data). You are not allowed to publish, distribute, copy or disclose any information about the vulnerability and the exploitation technique or critical data to third parties. You are also not allowed to download critical data with that intent or to use critical data to your personal advantage. The obligation to maintain confidentiality continues to exist after your participation at the SWICA VDP.

If you access and store critical data during the discovery of the vulnerability on the infrastructure you use, you must permanently delete it, immediately after submitting your report. You must not include any critical data in your report.

Once SWICA communicated to you that the vulnerability has been fixed, you are allowed to publish high-level descriptions of the vulnerability. This does not include the disclosure of critical data.

Exemptions

SWICA doesn’t permit the following types of test methods:

• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
• Social engineering our employees, customers or contractors
• Social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
• Physical testing (e.g. office access, open doors, tailgating)
• Performing any kind of DoS/DDoS (Denial of Service) or resource-exhaustion attacks
• Automatic reports without further manual verification

Scope

• www.swica.ch
• www.sante24.ch

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security-vdp@swica.ch before starting your research.

Out of Scope

Certain parts of our systems, infrastructure and/or services are provided by other companies. If you should find a vulnerability or security gap in these systems / areas or services. We kindly ask you to inform the relevant entity. However, the owner of the affected IT system remains responsible for the system and possible remedial measures.

Reporting a vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely SWICA, we may share your report with the Swiss National Cyber Security Center (NCSC), where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

We accept vulnerability reports via security-vdp@swica.ch. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report.

Please use our PGP Key for your submissions whenever possible.

By submitting a report, you acknowledge that you submit your report without any expectation or request for any reward or financial benefit.

What we would like to see from you

To help us triage and prioritize the reports, we recommend that the submitted report includes the following points and follows the structure below:

• Affected system (URL, affected function)
• Type of vulnerability (e.g. SQL injection)
• Steps for reproduction (incl. proof of concept or screenshots, if possible)
• Risk assessment (potential impact, CVSS score if available)
• Date & time of discovery
• Environment details (browser, OS)
• Contact information (optional for follow-up questions)
• Written in the language German or English

What can you expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• We will acknowledge as soon as possible, that your report has been received.
• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
• We will maintain an open dialogue to discuss issues.

 

V1.0