Redox accelerates the development and distribution of digital health solutions with a full-service healthcare integration platform to securely and efficiently exchange data. Healthcare organizations and technology vendors connect once and authorize the data they send and receive across the most extensive interoperable network in healthcare.
Keeping Healthcare data secure is our highest priority, so we welcome testing and responsible disclosure of potential security risks you identify.
IMPORTANT: Please make sure you are testing only in-scope targets (DO NOT TEST https://dashboard.redoxengine.com), REFER CAREFULLY TO IN SCOPE AND OUT OF SCOPE TARGETS BELOW.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for deviations from the standard VRT.
Rewards are paid within the ranges specified below. We will determine what payout in this range is suitable based on the complexity or the exploit, the quality of the submission, and the criticality of the system the bug was found in.
Our Maximum Reward
Redox is offering a maximum reward (shown above) which is higher than our standard P1 reward for any Extraordinary Submissions. This means more than simply qualifying for a P1 under the VRT (which this bug should in terms of impact). It means the researcher has spent the time and effort to understand our platform and identified a flaw unique to our platform that most others would not find without such investment. Additionally, we'd expect the submission write up to reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely.
We will make an effort to respond as fast as possible to all submissions.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$2,000 - $2,500|
|p2 Severe||$1,000 - $1,500|
|p3 Moderate||$300 - $750|
|p4 Low||$100 - $200|
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Redox not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
https://10x.redoxengine.com/*- This instance of our Dashboard offers the same functionality as our production instance. We encourage researchers to create multiple accounts (organisations) in this dashboard.
Marketing, Blog and Docs
We also encourage testing of our Marketing, Blog and Docs content available at www.redoxengine.com and developer.redoxengine.com
Please note these are production services and the production Dashboard linked from these pages is out of scope.
Researchers can self provision credentials using their @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
We encourage you to use multiple accounts in testing via the alias sub-addressing feature at signup with an email address such as email@example.com.
Signing up will create an organization - once authenticated researchers can create four different roles for additional users in that organization:
- Full Owner w/ billing
- Full Owner w/out billing
- Partial Owner w/ billing
- Partial Owner w/out billing
Testers should focus on potential cross account access or escalation of privileges within the console, in addition to standard web application issues.
We encourage researchers to review our Docs to learn about how our platform works.
Out of Scope
DDoS and DoS Vulnerabilities
DDoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources) DoS vulnerabilities which cause application "slowdown" will be considered P5/Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.
Subdomain takeovers require proof of takeover. Please include a screenshot of the domain taken over temporarily. Subdomains explicitly listed in the target list below will be awarded as a P2, other domains will be awarded as a P3.
Customer and Third Party Applications
While customer and third-party applications built on Redox are technically out of scope, we will support the responsible disclosure of any issue and support forwarding these problems to the third party. For this reason we encourage you to submit these issues if you find them during your testing (such as key to our API a customer posts to GitHub) and we may offer discretionary rewards in these cases.
AWS S3 Buckets not clearly linked to Redox. (This does not include buckets with "redox" in their name) any submissions must include how the bucket name is linked to Redox (from documentation, code or application links) or it will be rejected as out of scope.
Example code or code in our documentation.
Out of Scope Activities
- Once a vulnerability is found, it must be immediately reported. Bugs found as a result of "pivoting" within our infrastructure may be considered out of scope.
- DoS or related activities are not allowed. If you identify any slow requests please report them as informational and we will investigate, however rewards will only be offered as described above.
- Attempting to access production environments or customers is not allowed.
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via firstname.lastname@example.org before going any further.