5640 policies in database
Link to program      
LifeOmic logo



LifeOmic looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Everything you need to know to start hacking - IMPORTANT

We have built a hacker documentation site that outlines things like account creation, main points of entry, our tech stack, and fake test data. Let us know if you need anything added to make it easier to hack. Check it out here:


Please only use your@wearehackerone.com email addresses for new account creation. Multiple accounts can be self created using [username]+[any_identifier]@wearehackerone.com


Please do not use any LifeOmic contact forms or LifeOmic email aliases in attempt to contact us. We have set up a Slack workspace for you to use as a method of contact and to collaborate with us and other LifeOmic hackers. We will occasionally announce new features/products available for testing here. Unless the question is sensitive, please try to ask in an open channel so all hackers have visibility. Please be patient as our response times may vary.

Get access here: Slack Invite Link


This is really the most important part right?

We have designed limited-edition hacker challenge coins for each severity level (Low-Critical) and will ship one of the coins out to you for your first valid finding of each severity level, plus award the corresponding bounty amount. To keep you coming back for more, every calendar year we will be rolling out new designs so you will be eligible to receive a new coin each year for the corresponding severity level.

Critical | High | Medium | Low
Critical Coin + $1500 | High Coin + $750 | Medium Coin + $200 | Low Coin

Our 2020 Coins:


Ratings: We decide the severity rating based on true impact. The more damage you could do or data you can access, the higher the reward will be. Unlike traditional programs and because we are mostly serverless, an RCE may not actually be a critical(unless you can get to sensitive data, pivot, etc), however a serious IDOR or business logic flaw could be. Show us your best impact.

Found the same vulnerability in multiple areas? If our fix works to solve the issue across all occurrences of the bug, we will pay out for a single occurrence of the bug. Example: A outdated javascript library allows for a xss. The library is used on both subdomain1.dev.lifeomic.com and subdomain2.dev.lifeomic.com . Our fix of patching the library would fix the issue across both subdomains so we will pay the hacker for the first report and mark the second as a duplicate of the first. Have questions? Hit us up on our slack instance.

Program Rules

  • Please provide detailed reports with reproducible steps.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • If you are able to obtain access to production data, including PHI , please do NOT pivot internally, and do NOT exfiltrate any sensitive data. If you find a bug of this nature, please report it first and wait for instructions on how to proceed.

Known or Accepted Issues

  • Forgot password user enumeration - we are working on a long term fix
  • Token expiration - Tokens (except refresh tokens), should only last 60 minutes. Our tokens currently do not expire if the user logs out or changes their password (we're working on a long-term fix for this). If you find something otherwise, please report for review.
  • Travis keys - They should all be encrypted. If you find an unencrypted key, please report it.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

  • DO NOT hack against the lifeomic.com wordpress sites. This includes all contact forms.
  • XMLRPC.php reports
  • Internal IP exposure, unless you can do something impressive with it
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • CORS Misconfiguration or Host Header Injection (unless a PoC is provided that shows impact without user interaction)
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS, DDoS).
  • Brute-force / Rate-limiting
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Self-XSS
  • SPF/TXT records
  • RCEs without access to sensitive data(namely RCEs in User-Defined Functions that do not provide access to PII or PHI, feel free to test AWS keys you may find here)

Response Targets

We understand no one likes to wait. LifeOmic will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 5 business days
  • Time to triage (from report submit) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for your work in keeping LifeOmic safe for everyone. We’re excited to see what you have in store for us this year!

Happy Hacking!

In Scope

Scope Type Scope Name


















Out of Scope

Scope Type Scope Name








This program crawled on the 2018-03-08 is sorted as bounty.

FireBounty © 2015-2020

Legal notices