Vulnerability Disclosure Policy


Thyrocare is India's first fully automated diagnostic laboratory with a focus on providing quality at affordable costs to laboratories and hospitals in India and other countries. Thyrocare operates with a Central Processing Laboratory (CPL) in Mumbai - India for esoteric tests; and Regional Processing Laboratory in major metro cities of India. We have focused on strong technologies, strong brands and strong systems that enable us to give our clients the best of science and technology at an affordable cost.

Vulnerability Disclosure Policy


If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly and Thyrocare will not initiate or recommend legal action related to your research.

Program Guidelines

  • Do not cause harm to Thyrocare, our customers, our business partners, our affiliates, or others;
  • Do not conduct social engineering, including the use of spear phishing tactics, of Thyrocare personnel, clients, customers, business partners or contractors.
  • Do not impact the integrity or availability of any systems or users or the operation of our applications, systems or services, including through any type of brute force attacks, any types of denial of service attacks, destruction of data, and interruption or degradation of our services;
  • Do not publicly disclose or share with a third party any potential vulnerabilities reported under this program without receiving our express written authorization in accordance with the confidentiality provision below.
  • Do not compromise the privacy or safety of our employees, customers, or users.
  • Do provide a clear fact-based description of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability). Please include a description and explanation of the security issue identified and proof of concept (if applicable)
  • Do not alter, remove, or upload files in any situation and/or part of any remote code execution (RCE) exploit. Do not read sensitive system files or modify file permissions in any situation. Furthermore, you are not permitted to interact with the underlying OS or services or any other components such but not limited to databases, jump servers, application servers, etc.
  • Thyrocare does not participate in compensated bug bounty awards at this time;
  • Thyrocare may choose to disregard submissions by parties who submit a high volume of low quality, incomplete, and/or non- actionable reports;
  • Do comply with all applicable laws.


In Scope

Web properties owned by Thyrocare, specifically

If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately

  • Personally identifiable information
  • Financial information (e.g., credit card or bank account numbers)
  • Proprietary information or trade secrets of companies, partners or vendors.
  • If the identified vulnerability can be used to potentially extract sensitive information related to customers or internal systems, or impact our ability to function normally, then stop your test and notify us immediately. This is absolutely essential for us to consider your disclosure a responsible one. We may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impacting our systems.

Out of Scope

  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS or DDoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Physical or social engineering attempts (this includes phishing attacks against EG employees).
  • Disclosure of known public files or directories.
  • Use of outdated software
  • Reports from automated tools or scans.
  • Mail configuration issues including SPF, DKIM, DMARC settings.
  • Any services not expressly listed In Scope, such as the ones listed below are excluded from scope.

  • Connected Services
  • Partner Endpoints
  • Vendor Endpoints
  • Delivery Endpoints
  • Warehouse Endpoints
  • 3rd Party Applications

Reporting an issue

Vulnerabilities discovered on our systems while testing within the scope of this policy can be reported by emailing it to [email protected] Please ensure that the following information is available when submitting a vulnerability report.

  • Description of the location and potential impact of the vulnerability. Please include any CVEs (Common Vulnerabilities and Exposures) when available.
  • A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
  • Any technical information and related materials we would need to reproduce the issue.
  • If possible please include the contact details (email, mobile number) to let our Security team reach out to you for any clarifications.

Note that reports that include only crash dumps or other automated tool output will not be accepted.

Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors or open source projects.


Thyrocare does not have a bounty/cash reward program for vulnerability disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we will gladly acknowledge your contribution publicly in this section of our website. Of course, this will only be done if you want a public acknowledgement.

Eligibility for Hall of Fame

  • Must be the first person to responsibly disclose the vulnerability
  • Vulnerability discovered must be found when testing within the scope of this policy
  • Reported vulnerability significantly impacts security and integrity of Thyrocare products or impacts the privacy of customer or partner data.
  • Vulnerabilities are rated Critical, High, Medium and low, Only vulnerabilities rated Critical and High are eligible for the Hall of Fame.