52235 policies in database
Link to program      
2020-01-30
2020-02-08
GoodRx logo
Thank
Gift
HOF
Reward

Reward

GoodRx

Intro

GoodRx is America’s healthcare marketplace. Each month, more than 17 million people use GoodRx’s website and popular mobile apps to find current prices and discounts for their healthcare, and we’ve helped people save more than $20 billion since 2011. We provide discounts available at 70,000 pharmacies in the U.S., as well as telehealth services including doctor visits and lab tests. Thousands of healthcare professionals use GoodRx to help their patients. Our services have been positively reviewed by Good Morning America, The New York Times, NBC News, AARP, and many others. Our goal is to help Americans find convenient and affordable healthcare in a safe, compliant and private manner.

Program Rules

  • Please read our entire policy page before you begin! Honestly, read the entire policy. This will help save you time and reduce the chances of submitting a finding that's deemed Not Applicable.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • We want you to search for bugs, not user data. If you encounter user information during your testing stop immediately and notify us through HackerOne. Further guidance will be provided along with an appropriate bounty for your finding.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • Refrain from automated scanning against these URLs: https://www.goodrx.com/coupon/ https://www.goodrx.com/professionals https://www.goodrx.com/discount-card and https://www.goodrx.com/jobs.

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Don’t leave any system in a more vulnerable state than you found it.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

  • Please use the wearehackerone.com email alias when creating accounts to test our site. More information about this alias can be found at: https://docs.hackerone.com/hackers/hacker-email-alias.html

  • Only interact with GoodRx accounts you own. (Ex: GoodRx Gold family accounts)

  • Be respectful when interacting with our team, and our team will do the same.

  • Social engineering attacks (e.g. spear phishing) are prohibited.

  • Do not engage in conversation with our support or doctor personal.

  • You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.

Disclosure Policy

  • Don’t publicly disclose a vulnerability without our consent and review.

  • In addition, follow HackerOne's disclosure guidelines.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope and will not be eligible for a bounty:

  • CSRF in unauthenticated or non-sensitive forms. (Ex: drug search and logout)

  • Attacks requiring MITM or physical access to a user's device.

  • Rate-limiting issues including on Password Reset URLs or Authentication Endpoints which are managed by Auth0 and not GoodRx.

  • Missing best practices in SSL/TLS configuration. (Lack of HSTS, additional security headers, etc.)

  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

  • Any activity that could lead to the disruption of our service (DDoS).

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

  • Username enumeration based on login or forgot password pages.

  • Enforcement policies for brute force or account lockout.

  • Presence of autocomplete functionality in form fields.

  • Clickjacking due to a lack of X-Frame-Options use.

  • Lack of HttpOnly or Secure cookie flags in non sensitive cookies.

  • Findings related Google Maps API Keys storage or usage.

  • Any vulnerabilities on subdomains or assets that are not explicitly listed in the scope.

  • Reports of vulnerabilities on third party software, such as Zendesk, Palo Alto Networks, reCAPTCHA, etc.

  • Social Media Account Takeovers.

GoodRx Login Pages

GoodRx offers two distinct login workflows for our services. One flow is designed for our traditional savings program experience and the other is for our telehealth service.

Those URLs are: https://www.goodrx.com/account/sign-in and https://www.goodrx.com/care/login

Please use the wearehackerone.com email alias when creating accounts to test our site. More information about this alias can be found at: https://docs.hackerone.com/hackers/hacker-email-alias.html

GoodRx Coupons Overview

Be aware that drug prices displayed on GoodRx are coupon prices for a specific pharmacy and drug combination that we do not set. Remember our site provides transparency for drug prices in the United States. Changing these values in the browser, app, or text message will not result in a different price at purchase as the pharmacist at the physical pharmacy will verify the coupon on their end. That being said, if you find a way to modify the prices that are stored on our server and displayed to other users, we'd obviously consider that in-scope for a bounty.

SLA

GoodRx will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days

  • Time to triage (from report submit) - 2 business days

  • Time to bounty (from triage) - 1 business days

We’ll try to keep you informed about our progress throughout the process as best as possible. We aim to be an industry leading program in terms of responsiveness and promptness of bounty payments.

Careers

If you enjoy participating in our bounty program, then you'd really enjoy working for us full time! We're always actively hiring security minded individuals and encourage you to view our list of open positions. Make sure to list HackerOne as your reference!

https://www.goodrx.com/jobs

Questions

Any questions about our bounty program or site can be directed to: security@goodrx.com

In Scope

Scope Type Scope Name
android_application

com.goodrx

ios_application

com.goodrx.iphone

web_application

www.goodrx.com

web_application

api.heydoctor.com

Out of Scope

Scope Type Scope Name
android_application

com.goodrx.doctors

android_application

com.goodrx.gold

ios_application

com.goodrx.doctors

ios_application

com.goodrx.gold

web_application

support.goodrx.com

web_application

sso.identity.goodrx.com

web_application

investors.goodrx.com


This program crawled on the 2020-01-30 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy