Banner object (1)

5068 policies in database
  Back Link to program      
30/01/2020
GoodRx logo
Thanks
Gift
Hall of Fame
Reward

Reward

GoodRx

Intro

GoodRx is America’s #1 prescription price transparency platform. More than 10 million people use GoodRx’s website and popular mobile apps each month. We help consumers save up to 80% on their medications by delivering prices and available discounts at nearly every pharmacy in the U.S. More than 280,000 healthcare professionals use GoodRx, and our services have been positively reviewed by Good Morning America, the American Heart Association, The New York Times, ABC News, NBC News, AARP, Forbes, Consumer Reports, and many others.

Our goal is to provide Americans with convenient and affordable prescription drugs. We offer solutions for consumers, employers, health plans and anyone else who shares our desire to provide affordable prescriptions to all Americans in a safe, compliant and private manner.

Program Rules

  • Please read our entire policy page before you begin! Honestly, read the entire policy. This will help save you time and reduce the chances of submitting a finding that's deemed Not Applicable.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • We want you to search for bugs, not user data. If you encounter user information during your testing stop immediately and notify us through HackerOne. Further guidance will be provided with an appropriate bounty.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Refrain from automated scanning against these URLs: https://www.goodrx.com/coupon/ https://www.goodrx.com/professionals https://www.goodrx.com/discount-card and https://www.goodrx.com/jobs .
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Don’t leave any system in a more vulnerable state than you found it.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Only interact with GoodRx accounts you own. (Ex: GoodRx Gold family accounts)
  • Be respectful when interacting with our team, and our team will do the same.
  • Social engineering attacks (e.g. spear phishing) are prohibited.
  • Do not engage in conversation with our support or doctor personal.

Disclosure Policy

  • Don’t publicly disclose a vulnerability without our consent and review.
  • In addition, follow HackerOne's disclosure guidelines .

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope and will not be eligible for a bounty:

  • CSRF in unauthenticated or non-sensitive forms. (Ex: drug search and logout)
  • Attacks requiring MITM or physical access to a user's device.
  • Missing best practices in SSL/TLS configuration. (Lack of HSTS, additional security headers, etc.)
  • Any activity that could lead to the disruption of our service (DDoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Username enumeration based on login or forgot password pages.
  • Rate-limiting issues.
  • Enforcement policies for brute force or account lockout.
  • Presence of autocomplete functionality in form fields.
  • Clickjacking due to a lack of X-Frame-Options use.
  • Lack of HttpOnly or Secure cookie flags in non sensitive cookies.
  • Any vulnerabilities on subdomains or assets that are not explicitly listed in the scope.
  • Reports of vulnerabilities on third party software, such as Zendesk, Palo Alto Networks, etc.

GoodRx Coupons Overview

Be aware that drug prices displayed on GoodRx are coupon prices for a specific pharmacy and drug combination that we do not set. Remember our site provides transparency for drug prices in the United States. Changing these values in the browser, app, or text message will not result in a different price at purchase as the pharmacist at the physical pharmacy will verify the coupon on their end. That being said, if you find a way to modify the prices that are stored on our server and displayed to other users, we'd obviously consider that in-scope for a bounty.

SLA

GoodRx will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days
  • Time to bounty (from triage) - 2 business days

We’ll try to keep you informed about our progress throughout the process as best as possible. We aim to be an industry leading program in terms of responsiveness and promptness of bounty payments.

Careers

If you enjoy participating in our bounty program, then you'd really enjoy working for us full time! We're always actively hiring security minded individuals and encourage you to view our list of open positions. Make sure to list HackerOne as your reference!

https://www.goodrx.com/jobs

Questions

Any questions about our bounty program or site can be directed to: security@goodrx.com

In Scope

Scope Type Scope Name
android_application

com.goodrx

android_application

https://play.google.com/store/apps/details?id=com.goodrx

ios_application

com.goodrx.iphone

ios_application

https://itunes.apple.com/app/id485357017

web_application

www.goodrx.com

web_application

gold.goodrx.com

web_application

heydoctor.goodrx.com

web_application

security@goodrx.com

Out of Scope

Scope Type Scope Name
android_application

com.goodrx.doctors

android_application

https://play.google.com/store/apps/details?id=com.goodrx.doctors

android_application

com.goodrx.gold

android_application

https://play.google.com/store/apps/details?id=com.goodrx.gold

ios_application

com.goodrx.doctors

ios_application

https://itunes.apple.com/app/id1122105489

ios_application

com.goodrx.gold

ios_application

https://itunes.apple.com/app/id1249717355

web_application

support.goodrx.com

web_application

sso.identity.goodrx.com

web_application

remote2.goodrx.com

web_application

remote.goodrx.com


This program crawled on the 2020-01-30 is sorted as bounty.

FireBounty © 2015-2020

Legal notices