LifeOmic understands the value in working with HackerOne researchers to keep the business and its customers safe, and is excited to do so.

IMPORTANT- TL;DR Before Hacking Against LifeOmic

If you're in a hurry to hack, please read and understand the following first:

1. Only hack assets listed on our scope page.

2. NEVER exfiltrate sensitive data or pivot internally in the case a PoC exploit is successful.

3. All reports must include a valid, impactful PoC with reproducible steps to be considered for bounty. No exceptions.

4. Be courteous. We do our best to be fair and objective in triage and resolution, and appreciate your respect.

About Our Platform / Hacker Setup

Products

LifeOmic has several products that can be used alone or in conjunction with each other as a platform for precision health and wellness. Our products are meant for everyone from end users wanting to improve their health all the way to large research organizations performing analysis of large data sets. Our individual products in scope are as follows:

• Precision Health Cloud (PHC)

• LIFE and LIFE Extend mobile apps

• Precision Wellness

• Precision OCR

• Lifeology

• Skillspring

• Precision Outcomes

NOTE all hacking must be done on the DEV instance of the product (*.dev.lifeomic.com). Any domain on us.lifeomic.com is OUT OF SCOPE.

For more info about each product, visit https://lifeomic.com/products/.

Please refer to our documentation for details about technical use of the products- https://docs.us.lifeomic.com/.

Our infrastructure is hosted on AWS and we use a serverless approach wherever possible. Our tech stack

consists of NodeJS, Python, React, and React Native.

Account Setup

It is important to understand that LifeOmic products have the concept of a user account and an organizational account. Users have policies which give them various access levels to one or more organizational accounts. The relationship between users and organizations is many to many (organizations can have multiple users with access, and users can have access to multiple orgs).

First, create a user account at https://apps.dev.lifeomic.com/login. Please only use your @wearehackerone.com email addresses for new account creation. Multiple accounts can be self created using [username]+[any_identifier]@wearehackerone.com

This user can access any of LifeOmic's products given the correct access.

Next, create an organizational account at https://apps.dev.lifeomic.com/product-setup or https://apps.dev.lifeomic.com/phc/account/accounts/create/force. When specifying your org account name, prefix it with h1_ and then the name you'd like, such as h1_bob_org.

Communication

Please keep communication to within the HackerOne platform. If urgent communication is necessary (such as finding exposed PHI), contact security@lifeomic.com. Do not send reports, findings, complaints, or other information to this address.

Program Rules

• Please provide detailed reports with reproducible steps. The report must provide a clear proof of concept specific to LifeOmic that demonstrates an impactful security issue.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

• If you are able to obtain access to production data, including PHI, please do NOT pivot internally, and do NOT exfiltrate any sensitive data. If you find a bug of this nature, please report it first and wait for instructions on how to proceed.

Severity Ratings

We decide the severity rating based on true impact to the business and end users. The more damage you could do or data you can access, the higher the reward will be. Unlike traditional programs and because we are mostly serverless, an RCE may not actually be a critical issue (unless you can get to sensitive data, pivot, etc), however a serious IDOR or business logic flaw could be. Show us your best impact.

Found the same vulnerability in multiple areas? If our fix works to solve the issue across all occurrences of the bug, we will pay out for a single occurrence of the bug. Example: An outdated javascript library allows for a XSS. The library is used on both subdomain1.dev.lifeomic.com and subdomain2.dev.lifeomic.com . Our fix of patching the library would fix the issue across both subdomains so we will pay the hacker for the first report and mark the second as a duplicate of the first.

Known or Accepted Issues

We have several individual issues or issue classifications that will be marked as duplicates or N/A immediately upon submission. These include:

• Forgot password (and other) user enumeration - we are working on a long term fix

• Session / token expiration- Tokens (except refresh tokens) should only last 60 minutes. Our tokens currently do not expire if the user logs out or changes their password. Tokens are not invalidated until they reach their minted expiration time. We are not accepting reports for these types of issues as we have identified and are applying a

fix across our products.

• Public API keys / tokens that have been “leaked”. If the API key is meant to be public according to vendor documentation and/or the token cannot be used to perform unintended actions by the end user, the report will be marked N/A.

• Purposefully public data in the mobile app as per privacy settings including first and last name, profile picture, profile description, cumulative LIFE points and

surrounding metrics

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Any vulnerability report without an impactful PoC- including but not limited to CSRF without impactful action (especially when unauthenticated), clickjacking on pages without sensitive actions, CORS misconfigs, use of libraries with CVEs without an exploit, self-XSS, injection without exploitation, etc

• Attacks requiring MITM or physical access to a user's device.

• DoS or DDoS vulnerabilities (such as brute force or rate-limiting based issues)

• Issues related to WordPress sites, such as issues with XMLRPC.php

Response Targets

We understand that no one likes to wait. LifeOmic will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 5 U.S. business days

• Time to triage (from report submit) - 10 U.S. business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

In order to simplify the process and decrease our overall time to resolution on reports, we do not offer report disclosure.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for your work in keeping LifeOmic safe for everyone. We’re excited to see what you have in store for us this year!

Happy Hacking!