Banner object (1)

Hack and Take the Cash !

821 bounties in database
  Back Link to program      
HealthifyMe's Vulnerability Disclosure Program logo
Hall of Fame

HealthifyMe's Vulnerability Disclosure Program


HealthifyMe invites you to test and help secure our publicly accessible web presence - focusing on, but not limited to, our web and mobile applications. We appreciate your efforts and hard work in making the internet more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Submission suggestion:

Providing a video POC is highly encouraged. Submissions with a clear video POC are generally processed faster than those without.

This program only awards points for VRT based submissions.


In scope

Target name | Type
* | Website
[]( | Android
< coach/id943712366?mt=8> | iOS
Any publicly facing asset owned by HealthifyMe (ip space, domains, etc) | Website

Out of scope

Target name | Type
---|--- | Website

Any domain/property of HealthifyMe not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Info:

  • Please feel free to report on vulnerabilities found on any of HealthifyMe's public assets.
  • * - our publicly facing web application.
    • NOTE: researchers are NOT able to sign up directly from the website. You must register using the mobile apps, and then can login and test the webapp as well.
  • HealthifyMe Android and iOS apps, available via their respective app stores.
    • Please note that these apps can be downloaded from the app stores across the world, except for in the EU - this is due to GDPR regulations. For those looking to test from EU you can download the direct .ipa or .apk files from here: APK: and IPA:


Researchers are encouraged to self-provision accounts for the in-scope targets as they're able to. However, it's worth noting that there is also a paid/trial option as well (at this time, paid accounts will not be provided for testing purposes). Please only test against/with accounts that you expressly own. Make sure to sign up using you email address.

UPDATE 2018 September 28:
To clarify, Researchers can sign up for a free account. HealthifyMe is not providing Paid/Premium accounts to researchers on this program.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name





Any publicly facing asset owned by HealthifyMe (ip space, domains, etc)

Out of Scope

Scope Type Scope Name

This program leverage 5 scopes, in 3 scopes categories.

FireBounty © 2015-2020

Legal notices