• $125 – $4,500 per vulnerability
  • Up to $5,000 maximum reward
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 77
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $250 within the last 3 months

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Healthcare integration between critical and innovative software applications hurt healthcare experiences in the United States every day. Estimates are that there is over $750 billion wasted in healthcare each year. Redox aims to become one of the most trusted brands in healthcare. With your help, we will surpass HIPAA industry regulation guidelines and cater to all patients supremely.

The Redox platform provides a highly-scalable solution that eliminates technical barriers. From getting HL7 data over VPNs to a multitude of EHR(electronic health record) vendor APIs and even XML over SFTP, we need to do it all and do it securely.


New updates can be found here:


We encourage researchers to review our Docs to learn about how more of our apis and platform work.

These resources in particular will help you get up to speed as quickly as possible:


  • Please ensure you utilize your email domain when creating accounts. This helps us know that are researcher, not a malicious user
    • Additional accounts can be created via creating email aliases, such as and
  • Please make sure you are being as detailed as possible on your reports.
  • Please make sure you are testing only in-scope targets (DO NOT TEST, REFER CAREFULLY TO IN SCOPE AND OUT OF SCOPE TARGETS BELOW.
  • Do not test contact forms on Findings here will be considered out of scope

Don't Utilize Automated Scanning:

Redox runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second / less than 50 automated requests on a single endpoint. Custom scripts and fuzzing tools are still permitted, but if using them, please keep your traffic to six requests per second or less.

Report Criteria Must Include

  • Business Impact (how does this affect Redox?)
  • Steps to reproduce
  • Working proof of concept POC videos are required for validating any findings, as doing so will help expedite the triage process.
  • Discoverability (how likely is this to be discovered)
  • Exploitability (how likely is this to be exploited)

Our Maximum Reward

Redox is offering a maximum reward (shown above) which is higher than our standard P1 reward for any Extraordinary Submissions. This means more than simply qualifying for a P1 under the VRT (which this bug should in terms of impact). It means the researcher has spent the time and effort to understand our platform and identified a flaw unique to our platform that most others would not find without such investment. Additionally, we'd expect the submission write up to reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely.

We will make an effort to respond as fast as possible to all submissions.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.