HotDoc
- $50 – $8,000 per vulnerability
HotDoc still has unclaimed bonuses!
Happy New Year all!
In December, we announced a bonus reward program for finding vulnerabilities in our new Authentication and Invitation features. This bonus is still unclaimed!
All the details are below, but, in short, if you can find a P1, P2 or P3 vulnerability in any of the Clinic User Authentication, User Inviting or User Switching features, there's more money to be made!
Good luck everyone!
Update Invitation Flow
What's this feature about?
Managers are now able to invite a user to multiple clinics with Dashboard Only access level.
How does it work on the Dashboard?
A manager can invite a user with Dashboard Only access to multiple clinics by either selecting certain clinics or choosing to select all the clinics the manager has access to. Check out How to add a new user account for Dashboard Switching in dashboard user switching support article to see the steps to invite a user to multiple clinics.
How does it work?
For a manager who has access to multiple clinics, the Dashboard allows them to invite other users to multiple clinics by making these requests:
curl 'https://bugcrowd.hotdoc.com.au/api/dashboard/clinic_user_accesses' \
-H 'acting-for: 3770' \
-H 'authorization: Token token=#{authentication_token}, email=#{email_of_manager}' \
-H 'content-type: application/json' \
-H 'accept: application/au.com.hotdoc.v3' \
--data-raw '{"clinic_user_access":{"access_level":"dashboard_only","email":#{email_of_new_user},"clinic_ids":[],"can_manage_clinic_user_accounts":#{boolean},"invite_to_all_clinics":true}}' \
curl 'https://bugcrowd.hotdoc.com.au/api/dashboard/clinic_user_accesses' \
-H 'acting-for: 3770' \
-H 'authorization: Token token=#{authentication_token}, email=#{email_of_manager}' \
-H 'content-type: application/json' \
-H 'accept: application/au.com.hotdoc.v3' \
--data-raw '{"clinic_user_access":{"access_level":"dashboard_only","email":#{email_of_new_user},"clinic_ids":#{an_array_of_clinics, for example: ['1', '2']},"can_manage_clinic_user_accounts":#{boolean},"invite_to_all_clinics":false}}' \
Note that if a new clinic user is invited to multiple clinics, their sidebar access will be reduced. It means a user with Dashboard and Sidebar access level will be reduced to have Dashboard Only if invited to a second clinic. Under the same logic, a user with Sidebar Only access level will be reduced to No Access if invited to another clinic.
Important: we are aware of an issue with Clinic User Access escalation. Broken authorization which allows Clinic Users to interact with products they cannot see in the UI via the API directly is already included in Out of Scope.
Bonus Opportunity - First to Find Authentication Vulnerabilities on Focus Areas:
- Clinic User Authentication
- User Inviting (above)
- User Switching (new backend updates make testing more accessible, read more about it in the documentation https://support.hotdoc.com.au/hc/en-gb/articles/4406133885977 Dashboard-Switching )
| Severity | Current Bounty | Bonus Bounty |
|---|---|---|
| P1 | $4000 | $500 |
| P2 | $1250 | $500 |
| P3 | $500 | $100 |
Have fun! As always, please see the program brief for the full details around testing. If you have any questions, please reach out to support@bugcrowd.com.
Get out there and lay claim to those bugs!
