• $125 – $3,000 per vulnerability
  • Up to $3,500 maximum reward
  • Safe harbor
  • Managed by Bugcrowd

Program stats

54 vulnerabilities rewarded

Validation within about 9 hours
75% of submissions are accepted or rejected within about 9 hours

$200 average payout (last 3 months)

Latest hall of famers

Recently joined this program

1158 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Healthcare integration between critical and innovative software applications hurt healthcare experiences in the United States every day. Estimates are that there is over $750 billion wasted in healthcare each year. Redox aims to become one of the most trusted brands in healthcare. With your help, we will surpass HIPAA industry regulation guidelines and cater to all patients supremely.

The Redox platform provides a highly-scalable solution that eliminates technical barriers. From getting HL7 data over VPNs to a multitude of EHR(electronic health record) vendor APIs and even XML over SFTP, we need to do it all and do it securely.


We encourage researchers to review our Docs to learn about how more of our apis and platform work.

These resources in particular will help you get up to speed as quickly as possible:


  • Please make sure you are testing only in-scope targets (DO NOT TEST, REFER CAREFULLY TO IN SCOPE AND OUT OF SCOPE TARGETS BELOW.

Don't Utilize Automated Scanning:

Redox runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second / less than 50 automated requests on a single endpoint. Custom scripts and fuzzing tools are still permitted, but if using them, please keep your traffic to six requests per second or less.

Report Criteria Must Include

  • Business Impact (how does this affect Redox?)
  • Steps to reproduce
  • Working proof of concept POC videos are required for validating any findings, as doing so will help expedite the triage process.
  • Discoverability (how likely is this to be discovered)
  • Exploitability (how likely is this to be exploited)

Submissions Eligible for Additional 10% Bonus are as follows:

-Any Stored XXS
-Any Remote Code Execution
-Any Local File Inclusion
-Any Privilege Escalation

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for deviations from the standard VRT.

Rewards are paid within the ranges specified below. We will determine what payout in this range is suitable based on the complexity or the exploit, the quality of the submission, and the criticality of the system the bug was found in.

Our Maximum Reward

Redox is offering a maximum reward (shown above) which is higher than our standard P1 reward for any Extraordinary Submissions. This means more than simply qualifying for a P1 under the VRT (which this bug should in terms of impact). It means the researcher has spent the time and effort to understand our platform and identified a flaw unique to our platform that most others would not find without such investment. Additionally, we'd expect the submission write up to reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely.

We will make an effort to respond as fast as possible to all submissions.

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,500 - $3,000
p2 Severe $1,250 - $2,000
p3 Moderate $500 - $1,000
p4 Low $125 - $400
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags Website Testing
  • ReactJS
  • Website Testing
  • Bootstrap
  • jQuery API Testing
  • ExpressJS
  • NodeJS
  • API Testing
  • HTTP Website Testing
  • Website Testing Website Testing
  • Website Testing
  • Wordpress API Testing
  • API Testing
  • HTTP API Testing
  • API Testing
  • HTTP API Testing
  • API Testing
  • HTTP API Testing
  • API Testing
  • HTTP API Testing
  • API Testing
  • HTTP API Testing
  • API Testing
  • HTTP API Testing
  • API Testing
  • HTTP Website Testing
  • Website Testing

Out of scope

Target name Type Website Testing API Testing API Testing Website Testing Website Testing Website Testing Website Testing Other

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Redox not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.

0-days related to other vendor’s software will be accepted after 30 days of a patch being released. If the originating company does not have a way for you to submit your finding, Redox can work to notify them on your behalf.

Target Info:

  •* - This instance of our Dashboard offers the same functionality as our production instance. We encourage researchers to create multiple accounts (organisations) in this dashboard.

Marketing, Blog and Docs

We also encourage testing of our Marketing, Blog and Docs content available at and

Please note these are production services and the production Dashboard linked from these pages is out of scope.

API Endpoints:

There are several API endpoints in scope. No documentation has been provided for these endpoints, but researchers are encouraged to test these targets from a blackbox perspective.


Researchers can self provision credentials using their email address. For more info regarding @bugcrowdninja email addresses, see here.

We encourage you to use multiple accounts in testing via the alias sub-addressing feature at signup with an email address such as

Signing up will create an organization - once authenticated researchers can create four different roles for additional users in that organization:

  • Full Owner w/ billing
  • Full Owner w/out billing
  • Partial Owner w/ billing
  • Partial Owner w/out billing

Testers should focus on potential cross account access or escalation of privileges within the console, in addition to standard web application issues.


We encourage researchers to review our Docs to learn about how more of our apis and platform work.

Guidance on Common Findings / Known Issues

The following are intended design or are in the process of being remediated, please avoid spending time here as you are more likely to earn a bounty when hunting on our Focus Areas (see Bonus above)

  • Failure to Invalidate Session > On Password Reset and/or Change Please note, other authorization and session-based vulnerabilities can be valuable
  • HTML Injection is of limited value to the team, please focus on other XXS type findings
  • No Rate Limiting on 'Forgot Password' or 'Email-Triggering', if you can find other ways to leverage the password reset then you are welcome to submit your finding.
  • Lack of DMARC record
  • Email HTML Injection

Out of Scope

  • Testing is only authorized on the targets listed as In-Scope. _Any domain/property of Redox not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Redox, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

  • DDoS and DoS Vulnerabilities
    DDoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources) DoS vulnerabilities which cause application "slowdown" will be considered P5/Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.

  • Subdomain Takeovers
    Subdomain takeovers require proof of takeover. Please include a screenshot of the domain taken over temporarily. Subdomains explicitly listed in the target list below will be awarded as a P2, other domains will be awarded as a P3.

  • Customer and Third Party Applications
    While customer and third-party applications built on Redox are technically out of scope, we will support the responsible disclosure of any issue and support forwarding these problems to the third party. For this reason we encourage you to submit these issues if you find them during your testing (such as key to our API a customer posts to GitHub) and we may offer discretionary rewards in these cases.

  • AWS S3 Buckets not clearly linked to Redox. (This does not include buckets with "redox" in their name) any submissions must include how the bucket name is linked to Redox (from documentation, code or application links) or it will be rejected as out of scope.

  • Example code or code in our documentation.

  • Email HTML Injections

  • DMARC record missing

Out of Scope Activities

  • Once a vulnerability is found, it must be immediately reported. Bugs found as a result of "pivoting" within our infrastructure may be considered out of scope.
  • DoS or related activities are not allowed. If you identify any slow requests please report them as informational and we will investigate, however rewards will only be offered as described above.
  • Attempting to access production environments or customers is not allowed.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.