5640 policies in database
Link to program      
drchrono logo


50 $ 


Maintaining top-notch security is an ongoing priority at drchrono, and you can help us make drchrono more secure. If you believe you have a found a security vulnerability, we encourage you to let us know as soon as possible so we can do our best to fix the problem immediately.

We strive to triage reports within 3-5 business days and to comment/resolve found issues within 30-45 business days.

The following sites and applications are in scope for this program:



Non-qualifying Reports

The following issues are outside the scope of our program:

  • The drchrono Android app (it's just a webview of our site and it's no longer supported)

  • Issues related to software not under drchrono control

  • Provisioning errors
  • Violation of licenses or other restrictions applicable to any vendor's product
  • Social engineering techniques on drchrono or medical practice staff
  • Spam
  • Phishing
  • Denial-of-service attacks, unless they are part of another attack (e.g. a deflation bomb which is used to disable a virus scanner, which then allows standard attacks)

Additionally, issues which we are unable to reproduce will be closed as not applicable.


Eligible reporters of qualifying security vulnerabilities may receive rewards. Our minimum reward for reports that demonstrate leaked or modified doctor or patient data is $50 USD. There is no maximum. drchrono will determine whether the minimum reward should be granted to reports that don't demonstrate a full exploit (e.g. XSS limited to within a practice group). This is not a competition and only one reward per security bug will be awarded.

For reports that demonstrate PHI exposure from outside of the owner's account (does not require malicious staff), we will award a minimum of $200. For large-scale PHI exposure from outside the account, we will award a minimum of $500.


To get access to the API, you must email api@drchrono.com with your drchrono and HackerOne username. You can then create an API application at https://drchrono.com/api-management __. The minimum award for security bugs in the API is $100 instead of $50.

Thank you.

This program have been found on Hackerone on 2016-05-25.

FireBounty © 2015-2020

Legal notices