Redox

  • $50 – $1,500 per vulnerability
  • Up to $5,000 maximum reward
  • Managed by Bugcrowd

Program stats

29 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$155 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Redox accelerates the development and distribution of digital health solutions with a full-service healthcare integration platform to securely and efficiently exchange data. Healthcare organizations and technology vendors connect once and authorize the data they send and receive across the most extensive interoperable network in healthcare.

Keeping Healthcare data secure is our highest priority, so we welcome testing and responsible disclosure of potential security risks you identify.

IMPORTANT: Please make sure you are testing only in-scope targets (DO NOT TEST https://dashboard.redoxengine.com), REFER CAREFULLY TO IN SCOPE AND OUT OF SCOPE TARGETS BELOW.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for deviations from the standard VRT.

Rewards are paid within the ranges specified below. We will determine what payout in this range is suitable based on the complexity or the exploit, the quality of the submission, and the criticality of the system the bug was found in.

We will make an effort to respond as fast as possible to all submissions.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $1,000 - $1,500
p2 Severe $500 - $800
p3 Moderate $100 - $200
p4 Low $50 - $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
10x.redoxengine.com Website
testapp.redoxengine.com API
developer.redoxengine.com/ Website

Out of scope

Target name Type
www.redoxengine.com/ Website
dashboard.redoxengine.com Website
candi.redoxengine.com API
api.redoxengine.com API
www.redoxengine.com/support-request/ Website
https://jobs.lever.co/redoxengine/ Website
https://www.redoxengine.com/contact-us/ Website
https://www.redoxengine.com/support-request/ Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Redox not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target Info:

  • https://10x.redoxengine.com/* - This instance of our Dashboard offers the same functionality as our production instance. We encourage researchers to create multiple accounts (organisations) in this dashboard.

Marketing, Blog and Docs

We also encourage testing of our Marketing, Blog and Docs content available at www.redoxengine.com and developer.redoxengine.com

Please note these are production services and the production Dashboard linked from these pages is out of scope.

Credentials:

Researchers can self provision credentials using their @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

We encourage you to use multiple accounts in testing via the alias sub-addressing feature at signup with an email address such as researcher+randomstring@bugcrowdninja.com.

Signing up will create an organization - once authenticated researchers can create four different roles for additional users in that organization:

  • Full Owner w/ billing
  • Full Owner w/out billing
  • Partial Owner w/ billing
  • Partial Owner w/out billing

Testers should focus on potential cross account access or escalation of privileges within the console, in addition to standard web application issues.

Documentation:

We encourage researchers to review our Docs to learn about how our platform works.


Out of Scope

  • DDoS and DoS Vulnerabilities
    DDoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources) DoS vulnerabilities which cause application "slowdown" will be considered P5/Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.

  • Subdomain Takeovers
    Subdomain takeovers require proof of takeover. Please include a screenshot of the domain taken over temporarily. Subdomains explicitly listed in the target list below will be awarded as a P2, other domains will be awarded as a P3.

  • Customer and Third Party Applications
    While customer and third-party applications built on Redox are technically out of scope, we will support the responsible disclosure of any issue and support forwarding these problems to the third party. For this reason we encourage you to submit these issues if you find them during your testing (such as key to our API a customer posts to GitHub) and we may offer discretionary rewards in these cases.

  • AWS S3 Buckets not clearly linked to Redox. (This does not include buckets with "redox" in their name) any submissions must include how the bucket name is linked to Redox (from documentation, code or application links) or it will be rejected as out of scope.

  • Example code or code in our documentation.

Out of Scope Activities

  • Once a vulnerability is found, it must be immediately reported. Bugs found as a result of "pivoting" within our infrastructure may be considered out of scope.
  • DoS or related activities are not allowed. If you identify any slow requests please report them as informational and we will investigate, however rewards will only be offered as described above.
  • Attempting to access production environments or customers is not allowed.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.