Doctolib
Welcome to the Doctolib Bug Bounty program! We're excited to offer a way for the security community to help us find and fix vulnerabilities on our platform.
Our mission, as a leading healthcare service provider in Europe, is to ensure the utmost confidentiality, integrity, and availability of our users' data. We are proud to invite skilled hunters to assist us in identifying vulnerabilities and strengthen the security of our platform.
We are dedicated to collaborating with the most brilliant minds in the industry to detect potential security gaps and to remain ahead of emerging threats. Our bug bounty program is a crucial element of our security strategy, and we are thrilled to make it available to the public.
Thank you for your consideration of our program. If you have any questions contact us at security@doctolib.com
To ensure the safety and security of all parties involved, we have established the following cumulative eligibility rules for our bug bounty program:
Failure to comply with the preceding rules will result in the rejection of your report.
We consider that spotting big bugs requires big rewards. For this reason, we propose a specific and detailed reward structure to ensure that there is no confusion or ambiguity in the allocation of the rewards.
We have developed an in-house system for categorizing personal data based on its level of sensitivity and re-identification risk. This system enables us to precisely assess the severity of any vulnerability identified, and ensure that our bug bounty program rewards are tailored to the level of risk posed by the vulnerability.
| GDPR classification | Bug Bounty typology | Description and example |
|---|---|---|
| Personal Information | Type 1 | Data with a low risk of re-identification:- technical IDs- pseudonymized data |
| Personal Information | Type 2 | Data where medium identification needs an external data:- IP address- phone number- personal address |
| Personal Information | Type 3 | Data with an indisputable risk of re-identification- first name and last name- email address |
| Personal Health Information | Type 4 | Data that can provide information insights into a person's health status (e.g.: appointments data) |
| Personal Health Information(and any other “special category of data” as defined in GDPR Article 9) | Type 5 | Any information that is collected about a person's health status, such as their vital signs, test results, and medical diagnoses.This information is typically collected by healthcare providers and is used to diagnose and treat medical conditions, monitor treatment effectiveness, and track disease progression. |
This reward grid has been designed to provide clear guidelines on the types of vulnerabilities we are interested in, and the corresponding rewards for each. If you have any questions about our reward grid, we encourage you to ask for clarification by email.
| Exploit (category) | Exploit (detail) | Impact on Doctolib’s users (pro and patient): Group of users (ex: one http request to access several non-relative users) | Impact on Doctolib’s users (pro and patient): Any single given user account randomly chosen (ex: IDOR that require to do a HTTP request for each user) |
|---|---|---|---|
| Access to PII | Access to "type 1" data | Medium | Low |
| Access to PII | Access to "type 2" data | High | High |
| Access to PII | Access to "type 3" data | High | High |
| Access to PII | Access to "type 4" data | Critical | Critical |
| Access to PII | Access to "type 5" data | Critical (sp. scenario) | Critical |
| Manipulate our Patient app to send emails from Doctolib server | Sophisticated (ex: insert images in Doctolib emails) | High | Medium (possibly high at our discretion) |
| Manipulate our Patient app to send emails from Doctolib server | Simple link | High | Medium |
| Manipulate our Patient app to send SMS from "Doctolib" | Full control of the content | High | High |
| Manipulate our Patient app to send emails from Doctolib server | Link injection | High | High |
| Cross-site scripting | Access to DOM with user action required (ex: reflected xss) | High | Medium |
Note that the display of healthcare professional data (such as professional phone number) is normal functioning of our product. As mentioned in our Privacy Policy, Doctolib uses specialized service providers to feed its public directory (see our privacy policy on this matter: https://info.doctolib.fr/politique-de-protection-des-donnees-personnelles/).
Special bonuses are the most important reward for security vulnerabilities that pose a significant risk to our platform and cause us significant concern. If your critical vulnerability fall under any of the following scenario, you will be rewarded with :
(instead of 20 000€)
Ability to gain privileges on any production instance of our Ruby on Rails monolith, to read or write the production environment variable "SECURITY_BUG_BOUNTY_DOCTOLIB_IS_PWN," which contains the URL of a webhook that triggers a security crisis. RCE in other infrastructure components do not qualify as a "game over" scenario.
Ability to use vulnerability at the application level to dump the entire patient base of any given Doctor (ex: export of the patient base of any doctor randomly chosen) with a reasonably small amount of request (ex: IDOR that allows to extract a partial amount of the patient base fall under regular “critical”).
Please note that our detection rules are not designed to filter out bug bounty user agents, as we believe that would be unfair. We encourage all participants to follow our testing precautions below and to act in an ethical and responsible manner.
We ask that you conduct your bug bounty activities in a way that does not impact the experience of our care teams or patients. If you are interested in testing something that may be considered dangerous, we encourage you to contact us by email, and we will work with you to provide the necessary testing conditions.
🧑⚕️If you want to test appointment booking, do not use your real Doctolib account. Please
We strive to provide optimal testing conditions (e.g. no VPN required) but failure to adhere to the stated precautions and causing business issues will result in disqualification from the bug bounty program without reward.
TLDR;
Our applications are supposed to be hardened, so you should be able to perform scans. We only ask you to add the "BugBounty/42 (YWH)" string to the user-agent header in your requests. This is important because in case your traffic has an impact on the quality of our services, we will temporarily block the bug bounty requests based on this user agent.
The specific user agent is required for heavy traffic. However, for lighter traffic when searching for bugs, it is acceptable to temporarily use a regular user agent if you believe it has an impact on your research. This must remain exceptional.
We encourage all hunters to report any vulnerabilities they find in our system, and we provide clear channels for communication and feedback. If you believe you have discovered a vulnerability, we recommend that you report it through the YesWeHack platform, where we run our bug bounty program.
You can contact us by email at security@doctolib.com for any reason, such as requesting testing conditions or asking for clarification on our program rules.
Certain features of Doctolib Pro are free and require regular identity verification (for example, the Siilo app). These features are within the scope of this public bug bounty program.
Other free features require verification of the right to practice through a government-issued ID document (e.g., Carte Professionnelle de Santé). These features are outside the scope of this public bug bounty program.
Here, you'll find some explanations regarding the business logic behind certain features. These explanations are provided to help you save time during your research, giving you a clearer focus.
The medical data synchronization process is about updating appointment data or patient messaging data in order to link them an account. Here’s what you need to know:
The email and/or phone number given at the time of the appointment booking or the patient messaging creation will get a link. Clicking this link starts the synchronization process. Here are the requirement to successfully pass the synchronisation process:
1b46d17e91790a31842ba5f9977c72356abbde2b8e93a0aef92f556bc5e78eab
| Scope Type | Scope Name |
|---|---|
| android_application | http://play.google.com/store/apps/details?id=fr.doctolib.www |
| android_application | https://play.google.com/store/apps/details?id=com.siilo.android&hl=en |
| application | *.siilo.com |
| ios_application | https://apps.apple.com/fr/app/doctolib/id925339063 |
| ios_application | Special scenarios (see description) |
| ios_application | https://apps.apple.com/ie/app/doctolib-siilo/id1083002150 |
| web_application | www.doctolib.(fr|de|it) |
| web_application | *.doctolib.(fr|de|it|com|net) |
| web_application | pro.doctolib.(fr|de|it) (see "Free features for healthcare professionals")) |
| Scope Type | Scope Name |
|---|---|
| undefined | Note: should you discover a critical issue within an asset that falls outside the program's scope, we would appreciate it and may choose to offer a reward at our discretion. |
| web_application | doctocommit.doctolib.fr |
| web_application | doctolib.atlassian.net |
| web_application | doctolib.zendesk.com |
| web_application | store.doctolib.com |
| web_application | share.doctolib.net |
| web_application | community.doctolib.com|.fr|.de|.it |
This program have been found on Yeswehack on 2022-04-15.
FireBounty © 2015-2025
