Maintaining top-notch security is an ongoing priority at drchrono, and you can help us make drchrono more secure. If you believe you have a found a security vulnerability, we encourage you to let us know as soon as possible so we can do our best to fix the problem immediately.
We strive to triage reports within 3-5 business days and to comment/resolve found issues within 30-45 business days.
The following sites and applications are in scope for this program:
The following issues are outside the scope of our program:
The drchrono Android app (it's just a webview of our site and it's no longer supported)
Issues related to software not under drchrono control
Additionally, issues which we are unable to reproduce will be closed as not applicable.
Eligible reporters of qualifying security vulnerabilities may receive rewards. Our minimum reward for reports that demonstrate leaked or modified doctor or patient data is $50 USD. There is no maximum. drchrono will determine whether the minimum reward should be granted to reports that don't demonstrate a full exploit (e.g. XSS limited to within a practice group). This is not a competition and only one reward per security bug will be awarded.
For reports that demonstrate PHI exposure from outside of the owner's account (does not require malicious staff), we will award a minimum of $200. For large-scale PHI exposure from outside the account, we will award a minimum of $500.
To get access to the API, you must email firstname.lastname@example.org with your drchrono and HackerOne username. You can then create an API application at https://drchrono.com/api-management __. The minimum award for security bugs in the API is $100 instead of $50.