Redox

  • $125 – $4,000 per vulnerability
  • Up to $4,500 maximum reward
  • Safe harbor
  • Managed by Bugcrowd

Program stats

59 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$333.33 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Healthcare integration between critical and innovative software applications hurt healthcare experiences in the United States every day. Estimates are that there is over $750 billion wasted in healthcare each year. Redox aims to become one of the most trusted brands in healthcare. With your help, we will surpass HIPAA industry regulation guidelines and cater to all patients supremely.

The Redox platform provides a highly-scalable solution that eliminates technical barriers. From getting HL7 data over VPNs to a multitude of EHR(electronic health record) vendor APIs and even XML over SFTP, we need to do it all and do it securely.

Documentation:

We encourage researchers to review our Docs to learn about how more of our apis and platform work.

These resources in particular will help you get up to speed as quickly as possible:

IMPORTANT:

  • Please make sure you are testing only in-scope targets (DO NOT TEST https://dashboard.redoxengine.com), REFER CAREFULLY TO IN SCOPE AND OUT OF SCOPE TARGETS BELOW.

Don't Utilize Automated Scanning:

Redox runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second / less than 50 automated requests on a single endpoint. Custom scripts and fuzzing tools are still permitted, but if using them, please keep your traffic to six requests per second or less.

Report Criteria Must Include

  • Business Impact (how does this affect Redox?)
  • Steps to reproduce
  • Working proof of concept POC videos are required for validating any findings, as doing so will help expedite the triage process.
  • Discoverability (how likely is this to be discovered)
  • Exploitability (how likely is this to be exploited)

Submissions Eligible for Additional 10% Bonus are as follows:

-SSRF
-Any Stored XXS
-Any Remote Code Execution
-Any Local File Inclusion
-Any Privilege Escalation

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for deviations from the standard VRT.

Rewards are paid within the ranges specified below. We will determine what payout in this range is suitable based on the complexity or the exploit, the quality of the submission, and the criticality of the system the bug was found in.

Our Maximum Reward

Redox is offering a maximum reward (shown above) which is higher than our standard P1 reward for any Extraordinary Submissions. This means more than simply qualifying for a P1 under the VRT (which this bug should in terms of impact). It means the researcher has spent the time and effort to understand our platform and identified a flaw unique to our platform that most others would not find without such investment. Additionally, we'd expect the submission write up to reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely.

We will make an effort to respond as fast as possible to all submissions.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.