Healthcare integration between critical and innovative software applications hurt healthcare experiences in the United States every day. Estimates are that there is over $750 billion wasted in healthcare each year. Redox aims to become one of the most trusted brands in healthcare. With your help, we will surpass HIPAA industry regulation guidelines and cater to all patients supremely.
The Redox platform provides a highly-scalable solution that eliminates technical barriers. From getting HL7 data over VPNs to a multitude of EHR(electronic health record) vendor APIs and even XML over SFTP, we need to do it all and do it securely.
We encourage researchers to review our Docs to learn about how more of our apis and platform work.
These resources in particular will help you get up to speed as quickly as possible:
- Accessing the Postman Files
- Quickstart Video Tutorial
- Get Up and Running with the Redox API in 15 minutes
- Please make sure you are testing only in-scope targets (DO NOT TEST https://dashboard.redoxengine.com), REFER CAREFULLY TO IN SCOPE AND OUT OF SCOPE TARGETS BELOW.
Don't Utilize Automated Scanning:
Redox runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second / less than 50 automated requests on a single endpoint. Custom scripts and fuzzing tools are still permitted, but if using them, please keep your traffic to six requests per second or less.
Report Criteria Must Include
- Business Impact (how does this affect Redox?)
- Steps to reproduce
- Working proof of concept POC videos are required for validating any findings, as doing so will help expedite the triage process.
- Discoverability (how likely is this to be discovered)
- Exploitability (how likely is this to be exploited)
Submissions Eligible for Additional 10% Bonus are as follows:
-Any Stored XXS
-Any Remote Code Execution
-Any Local File Inclusion
-Any Privilege Escalation
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for deviations from the standard VRT.
Rewards are paid within the ranges specified below. We will determine what payout in this range is suitable based on the complexity or the exploit, the quality of the submission, and the criticality of the system the bug was found in.
Our Maximum Reward
Redox is offering a maximum reward (shown above) which is higher than our standard P1 reward for any Extraordinary Submissions. This means more than simply qualifying for a P1 under the VRT (which this bug should in terms of impact). It means the researcher has spent the time and effort to understand our platform and identified a flaw unique to our platform that most others would not find without such investment. Additionally, we'd expect the submission write up to reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely.
We will make an effort to respond as fast as possible to all submissions.
|Technical severity||Reward range|
|p1 Critical||$2,500 - $3,000|
|p2 Severe||$1,250 - $2,000|
|p3 Moderate||$500 - $1,000|
|p4 Low||$125 - $400|
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Redox not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
0-days related to other vendor’s software will be accepted after 30 days of a patch being released. If the originating company does not have a way for you to submit your finding, Redox can work to notify them on your behalf.
https://10x.redoxengine.com/*- This instance of our Dashboard offers the same functionality as our production instance. We encourage researchers to create multiple accounts (organisations) in this dashboard.
Marketing, Blog and Docs
We also encourage testing of our Marketing, Blog and Docs content available at www.redoxengine.com and developer.redoxengine.com
Please note these are production services and the production Dashboard linked from these pages is out of scope.
There are several API endpoints in scope. No documentation has been provided for these endpoints, but researchers are encouraged to test these targets from a blackbox perspective.
Researchers can self provision credentials using their @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
We encourage you to use multiple accounts in testing via the alias sub-addressing feature at signup with an email address such as email@example.com.
Signing up will create an organization - once authenticated researchers can create four different roles for additional users in that organization:
- Full Owner w/ billing
- Full Owner w/out billing
- Partial Owner w/ billing
- Partial Owner w/out billing
Testers should focus on potential cross account access or escalation of privileges within the console, in addition to standard web application issues.
We encourage researchers to review our Docs to learn about how more of our apis and platform work.
Guidance on Common Findings / Known Issues
The following are intended design or are in the process of being remediated, please avoid spending time here as you are more likely to earn a bounty when hunting on our Focus Areas (see Bonus above)
- Failure to Invalidate Session > On Password Reset and/or Change Please note, other authorization and session-based vulnerabilities can be valuable
- HTML Injection is of limited value to the team, please focus on other XXS type findings
- No Rate Limiting on 'Forgot Password' or 'Email-Triggering', if you can find other ways to leverage the password reset then you are welcome to submit your finding.
- Lack of DMARC record
- Email HTML Injection
Out of Scope
Testing is only authorized on the targets listed as In-Scope. _Any domain/property of Redox not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Redox, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.
DDoS and DoS Vulnerabilities
DDoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources) DoS vulnerabilities which cause application "slowdown" will be considered P5/Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.
Subdomain takeovers require proof of takeover. Please include a screenshot of the domain taken over temporarily. Subdomains explicitly listed in the target list below will be awarded as a P2, other domains will be awarded as a P3.
Customer and Third Party Applications
While customer and third-party applications built on Redox are technically out of scope, we will support the responsible disclosure of any issue and support forwarding these problems to the third party. For this reason we encourage you to submit these issues if you find them during your testing (such as key to our API a customer posts to GitHub) and we may offer discretionary rewards in these cases.
AWS S3 Buckets not clearly linked to Redox. (This does not include buckets with "redox" in their name) any submissions must include how the bucket name is linked to Redox (from documentation, code or application links) or it will be rejected as out of scope.
Example code or code in our documentation.
Email HTML Injections
DMARC record missing
Out of Scope Activities
- Once a vulnerability is found, it must be immediately reported. Bugs found as a result of "pivoting" within our infrastructure may be considered out of scope.
- DoS or related activities are not allowed. If you identify any slow requests please report them as informational and we will investigate, however rewards will only be offered as described above.
- Attempting to access production environments or customers is not allowed.
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via firstname.lastname@example.org before going any further.