Redox accelerates the development and distribution of digital health solutions with a full-service healthcare integration platform to securely and efficiently exchange data. Healthcare organizations and technology vendors connect once and authorize the data they send and receive across the most extensive interoperable network in healthcare.
Keeping Healthcare data secure is our highest priority, so we welcome testing and responsible disclosure of potential security risks you identify.
IMPORTANT: Please make sure you are testing only in-scope targets (DO NOT TEST https://dashboard.redoxengine.com), REFER CAREFULLY TO IN SCOPE AND OUT OF SCOPE TARGETS BELOW.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for deviations from the standard VRT.
Rewards are paid within the ranges specified below. We will determine what payout in this range is suitable based on the complexity or the exploit, the quality of the submission, and the criticality of the system the bug was found in.
We will make an effort to respond as fast as possible to all submissions.
Last updated 31 Jan 2019 00:50:28 UTC
Technical severity | Reward range
p1 Critical | $1,000 - $1,500
p2 Severe | $500 - $800
p3 Moderate | $100 - $200
p4 Low | $50 - $100
P5 submissions do not receive any rewards for this program.
Target name | Type
10x.redoxengine.com | Website
testapp.redoxengine.com | API
developer.redoxengine.com/ | Website
www.redoxengine.com/ | Website
Target name | Type
dashboard.redoxengine.com | Website
candi.redoxengine.com | API
api.redoxengine.com | API
www.redoxengine.com/support-request/ | Website
<https://jobs.lever.co/redoxengine/> | Website
<https://www.redoxengine.com/contact-us/> | Website
<https://www.redoxengine.com/support-request/> | Website
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Redox not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
https://10x.redoxengine.com/*- This instance of our Dashboard offers the same functionality as our production instance. We encourage researchers to create multiple accounts (organisations) in this dashboard.
We also encourage testing of our Marketing, Blog and Docs content available at www.redoxengine.com and developer.redoxengine.com
Please note these are production services and the production Dashboard linked from these pages is out of scope.
Researchers can self provision credentials using their @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
We encourage you to use multiple accounts in testing via the alias sub- addressing feature at signup with an email address such as email@example.com.
Signing up will create an organization - once authenticated researchers can create four different roles for additional users in that organization:
Testers should focus on potential cross account access or escalation of privileges within the console, in addition to standard web application issues.
We encourage researchers to review our Docs to learn about how our platform works.
DDoS and DoS Vulnerabilities
DDoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources) DoS vulnerabilities which cause application "slowdown" will be considered P5/Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.
Subdomain takeovers require proof of takeover. Please include a screenshot of the domain taken over temporarily. Subdomains explicitly listed in the target list below will be awarded as a P2, other domains will be awarded as a P3.
Customer and Third Party Applications
While customer and third-party applications built on Redox are technically out of scope, we will support the responsible disclosure of any issue and support forwarding these problems to the third party. For this reason we encourage you to submit these issues if you find them during your testing (such as key to our API a customer posts to GitHub) and we may offer discretionary rewards in these cases.
AWS S3 Buckets not clearly linked to Redox. (This does not include buckets with "redox" in their name) any submissions must include how the bucket name is linked to Redox (from documentation, code or application links) or it will be rejected as out of scope.
Example code or code in our documentation.
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via firstname.lastname@example.org before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.