HotDoc

Effective immediately, the following are now out of scope:

• Clinic User privilege escalation - we're aware of broken authorization which allows "Receptionist" Clinic Users to interact with products they cannot see in the UI via the API directly
• Cross-Site Scripting - we're aware of a bug in our user-input validation logic which allows for some Cross-Site Scripting attacks, both from Clinic User to Clinic User and Clinic User to Patient User

Please re-review the bounty brief in detail and adjust your testing, and all scanners accordingly to make sure you are only testing and submitting in-scope bugs. Any pending submissions submitted before the out of scope changes will be reviewed and processed accordingly.

If you have any questions on the change in the scope, please reach out to support@bugcrowd.com.