• $50 – $8,000 per vulnerability
  • Partial safe harbor

Feature update: PDF generation has moved to AWS Lambda and a new endpoint for testing New Patient Forms PDF is available

We hope your testing is going well. Here is an update that should make things a bit more interesting!

PDF generation in both our Recalls and Forms product now uses an AWS Lambda function. We highly recommend you take a look at this additional attack surface – which hopefully means more vulnerabilities! Here is how to access the Recalls and Forms PDF :


On HotDoc Dashboard, visit Recalls -> Activity, click on a clinical reminder and then access the recalls PDF by visiting Remind by post -> Download letter

Forms (*new endpoint)

CURL as an authorised dashboard user.

curl '' \
  -H 'Accept: application/'\
  -H 'Connection: keep-alive' \
  -H "Content-Type: application/pdf"\
  -H 'Cache-Control: max-age=0' \
  -H 'Authorization: Token token=:token, email=:email, admin_token=:admin_token, admin_id=:admin_id'\
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-Mode: navigate' \
  -H 'Sec-Fetch-User: ?1' \
  -H 'Sec-Fetch-Dest: document' \
  -H 'Referer:' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: :request_cookies \

How to create a form?

To create a new form, visit this endpoint as a HotDoc Dashboard user:
For more info, visit the Support article at

How to submit a form?

Click Preview button to access the created form on Dashboard Forms page and fill in the form. Hit Submit button at the button to complete a form submission.

How to access a valid form submission id?

  1. Submit a form then it can be found in the response payload of the form submission POST request.
  2. Navigate to Forms -> Submitted on HotDoc Dashboard, the response payload of the form submissions index endpoint contains the ids of those form submissions.

How to access the Authorization header and Request cookies?

Log in to the HotDoc Dashboard and choose any request to HotDoc server in the Network Tab. The Authorization header and request cookies can be reused to request PDF data.

Please be aware that DoS testing is out of scope for this functionality.

As always, please see the program brief for the full details around testing. If you have any questions, please reach out to

Get out there and lay claim to those bugs! Good luck!