[{"id":3768793,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce risk exposure and support our goal to become the most trusted brand in healthcare technology.\n\nWith you as an extension to our team, we can achieve that goal and ultimately protect patient data.\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\n**Important:** Even after HackerOne triage, the Redox team may close a ticket at any time with no payout (e.g., if it's a duplicate or we decide not to fix the issue). For duplicates, we may not provide links to the original ticket, especially if the original reporter prefers privacy or the ticket is in our internal system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n\n**Report Requirements:**\n* Provide detailed reports with reproducible steps. Reports lacking sufficient detail for reproduction are not eligible for rewards.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate impact.\n* When duplicates occur, we only award the first report received (provided it can be fully reproduced). Evidence will be provided via the original ticket number and/or title.\n* Multiple vulnerabilities caused by one underlying issue will receive one bounty.\n\n**Testing Guidelines:**\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, data destruction, and service interruption or degradation.\n* Only interact with accounts you own or with explicit permission from the account holder.\n\n**Eligibility:**\n* Current Redox employees and contractors are not eligible. Former employees and contractors become eligible 6 months after termination.\n\n# Getting Started\n\n## Account Setup and Permissions\n\nTo begin testing, request elevated permissions through our Service Portal: - [Google Form - Request for Elevated Permissions / Account Provisioning](https://forms.gle/BmwJaEqCa8ofwdJn7)\n\nThis allows us to provision resources specific to your testing.\n\n**Account Requirements:**\n* Use your `@wearehackerone.com` email address when creating accounts\n* If you need separate accounts, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases)\n* This helps us identify you as a researcher, not a malicious user\n\n**Testing Guidance:**\n* Reference our [Change Log](https://www.redoxengine.com/blog/category/redox/changelog/) for the latest product additions and functionality to test \n\n## Test Environment URLs\n\n**Important:** All documentation references production resources. Always use the staging equivalents below for testing.\n\n| **Staging URL (Use for Testing)** | **Production Equivalent** | **Description** |\n| ------------- | ------------- | ------------- |\n| **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n| **testapp.redoxengine.com** | candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** | api.redoxengine.com | API - FHIR/DataModel API |\n\n## API Documentation\n\n* [Overall documentation](https://docs.redoxengine.com/)\n* [FHIR API](https://docs.redoxengine.com/permalink/3XuY7RCaQV4Dscsy6gL8wR)\n* [Datamodel API](https://docs.redoxengine.com/permalink/6hnGvNQQLFgb8s0W7SFfvt)\n* [Platform API](https://docs.redoxengine.com/permalink/5mfjvKdJt3bRS8d5B4POP2)\n\n# Program Scope\n\n## Critical Application Resources\n\nWe are primarily looking for vulnerabilities in these critical resources:\n- **10x.redoxengine.com** (Main Dashboard)\n- **testapp.redoxengine.com** (Dashboard Backend API)\n- **testapi.redoxengine.com** (FHIR/DataModel API)\n\n\n# Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact. The following issues are out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* CSV injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Content spoofing and text injection issues without showing an attack vector or ability to modify HTML/CSS\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest release)\n* Software version disclosure, banner identification issues, or descriptive error messages/headers (e.g., stack traces, application or server errors)\n* Public zero-day vulnerabilities that have had an official patch for less than 1 month (awarded on a case-by-case basis)\n* Tabnabbing\n* Open redirect (unless an additional security impact can be demonstrated)\n* Any activity that could lead to service disruption (DoS)\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (https://redoxengine.atlassian.net/servicedesk/customer/portals)\n* Removing all organization owners or demoting all users to \"basic user\" role\n* Creating an organization with the same name as an existing organization\n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII) in `/static/js/main.*.js` or in API Actions\n* Ability to create resources (alerts, sources, destinations) as a Free Tier User/Org\n  * **Note:** There is a frontend UI block, but no backend resource blocking for this.\n\n## Denial of Service (DoS) Policy\n\nDoS vulnerabilities are out of scope (any attack requiring more than a small number of resources). DoS vulnerabilities causing application \"slowdown\" will be considered Informational, unless the researcher can demonstrate the bug is severe enough to disable other sessions and site functionality without significant resources. Bugs that cannot clearly show impact on other users without significant resources will be considered DDoS.\n\n**Rate Limiting Infrastructure:**\n\nWe utilize a Web Application Firewall (WAF) for rate limiting:\n- API traffic: 5000 requests per 5 minutes per IP\n- HTTP traffic: 500 requests per 5 minutes per IP\n\n# Disclosure Policy\n\n* As this is a private program, do not discuss the program or any vulnerabilities (even resolved ones) outside of the program without express consent from Redox.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n---\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-26T19:03:59.619Z"},{"id":3768792,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* To begin researching our program scope, please file a request here: [Redox Service Portal - Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 ). \n  * This allows us to provision resources specific to your testing. \n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n\n* Overall application documentation: https://docs.redoxengine.com/ \n  * [FHIR API](https://docs.redoxengine.com/permalink/3XuY7RCaQV4Dscsy6gL8wR)\n  * [Datamodel API](https://docs.redoxengine.com/permalink/6hnGvNQQLFgb8s0W7SFfvt)\n  * [Platform API](https://docs.redoxengine.com/permalink/5mfjvKdJt3bRS8d5B4POP2)\n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Google Form - Request for Elevated Permissions / Account Provisioning](https://forms.gle/BmwJaEqCa8ofwdJn7)\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n* Ability to create resources (such as alerts / sources / destinations) in the Staging/Production environment as a Free Tier User/Org. \n  * **Note: There is a Frontend Visual UI block, but no backend resource blocking for this.**\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-26T18:50:36.373Z"},{"id":3766928,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* To begin researching our program scope, please file a request here: [Redox Service Portal - Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 ). \n  * This allows us to provision resources specific to your testing. \n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Google Form - Request for Elevated Permissions / Account Provisioning](https://forms.gle/BmwJaEqCa8ofwdJn7)\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n* Ability to create resources (such as alerts / sources / destinations) in the Staging/Production environment as a Free Tier User/Org. \n  * **Note: There is a Frontend Visual UI block, but no backend resource blocking for this.**\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-03T13:49:53.920Z"},{"id":3766925,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* To begin researching our program scope, please file a request here: [Redox Service Portal - Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 ). \n  * This allows us to provision resources specific to your testing. \n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal -Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://forms.gle/BmwJaEqCa8ofwdJn7)\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n* Ability to create resources (such as alerts / sources / destinations) in the Staging/Production environment as a Free Tier User/Org. \n  * **Note: There is a Frontend Visual UI block, but no backend resource blocking for this.**\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-03T13:49:09.590Z"},{"id":3764335,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* To begin researching our program scope, please file a request here: [Redox Service Portal - Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 ). \n  * This allows us to provision resources specific to your testing. \n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal -Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n* Ability to create resources (such as alerts / sources / destinations) in the Staging/Production environment as a Free Tier User/Org. \n  * **Note: There is a Frontend Visual UI block, but no backend resource blocking for this.**\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-08T14:08:24.259Z"},{"id":3764307,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* To begin researching our program scope, please file a request here: [Redox Service Portal - Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 ). \n  * This allows us to provision resources specific to your testing. \n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal -Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Lack of Session Invalidation - These are known issues\n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-07T20:21:03.835Z"},{"id":3759894,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* To begin researching our program scope, please file a request here: [Redox Service Portal - Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 ). \n  * This allows us to provision resources specific to your testing. \n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n## New GCP URL's ! \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **dashboard.gamma.redoxstage.com** | dashboard.gamma.redoxengine.com | UI - Frontend of Dashboard |\n|  **app.gamma.redoxstage.com** |  app.gamma.redoxengine.com | API - Backend of Dashboard |\n| **api.gamma.redoxestage.com** |  api.gamma.redoxengine.com | API - FHIR/DataModel API |\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\nWe are also highly interested in any misconfigurations in our Cloud Infrastructure, especially with our GCP resources (anything ending with `*.gamma.redoxstage.com`)\n\nWithin these, we are highly interested in the identification of any [Insecure Direct Object Reference](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) or [Broken Access Control](https://owasp.org/www-community/Broken_Access_Control) vulnerabilities\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal -Bug Bounty - Request for Elevated Permissions / Account Provisioning](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\nSome of these features include:\n- Access to other Environments Types (Development/Staging/Production)\n- PHI Permission Flag (does not apply to Development) \n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Lack of Session Invalidation - These are known issues\n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-24T00:55:23.553Z"},{"id":3743449,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n## New GCP URL's ! \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **dashboard.gamma.redoxstage.com** | dashboard.gamma.redoxengine.com | UI - Frontend of Dashboard |\n|  **app.gamma.redoxstage.com** |  app.gamma.redoxengine.com | API - Backend of Dashboard |\n| **api.gamma.redoxestage.com** |  api.gamma.redoxengine.com | API - FHIR/DataModel API |\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\nWe are also highly interested in any misconfigurations in our Cloud Infrastructure, especially with our GCP resources (anything ending with `*.gamma.redoxstage.com`)\n\nWithin these, we are highly interested in the identification of any [Insecure Direct Object Reference](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) or [Broken Access Control](https://owasp.org/www-community/Broken_Access_Control) vulnerabilities\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal - Bug Bounty Program - Permissions Request](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\nSome of these features include:\n- Access to other Environments Types (Development/Staging/Production)\n- PHI Permission Flag (does not apply to Development) \n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Lack of Session Invalidation - These are known issues\n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-01T12:23:09.081Z"},{"id":3743448,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n## New GCP URL's ! \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **dashboard.gamma.redoxstage.com** | dashboard.gamma.redoxengine.com | UI - Frontend of Dashboard |\n|  **app.gamma.redoxstage.com** |  app.gamma.redoxengine.com | API - Backend of Dashboard |\n| **api.gamma.redoxestage.com** |  api.gamma.redoxengine.com | API - FHIR/DataModel API |\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\nWe are also highly interested in any misconfigurations in our Cloud Infrastructure, especially with our GCP resources (anything ending with `*.gamma.redoxstage.com`)\n\nWithin these, we are highly interested in the identification of any [Insecure Direct Object Reference](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) or [Broken Access Control](https://owasp.org/www-community/Broken_Access_Control) vulnerabilities\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal - Bug Bounty Program - Permissions Request](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\nSome of these features include:\n- Access to other Environments Types (Development/Staging/Production)\n- PHI Permission Flag (does not apply to Development) \n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Lack of Session Invalidation - These are known issues\n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-01T12:22:57.157Z"},{"id":3743447,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n## New GCP URL's ! \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **dashboard.gamma.redoxstage.com** | dashboard.gamma.redoxengine.com | UI - Frontend of Dashboard |\n|  **app.gamma.redoxstage.com** |  app.gamma.redoxengine.com | API - Backend of Dashboard |\n| **api.gamma.redoxestage.com** |  api.gamma.redoxengine.com | API - FHIR/DataModel API |\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\nWe are also highly interested in any misconfigurations in our Cloud Infrastructure, especially with our GCP resources (anything ending with `*.gamma.redoxstage.com`)\n\nWithin these, we are highly interested in the identification of any [Insecure Direct Object Reference](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) or [Broken Access Control](https://owasp.org/www-community/Broken_Access_Control) vulnerabilities\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal - Bug Bounty Program - Permissions Request](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\nSome of these features include:\n- Access to other Environments Types (Development/Staging/Production)\n- PHI Permission Flag (does not apply to Development) \n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Lack of Session Invalidation - These are known issues\n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-01T12:22:33.317Z"},{"id":3700404,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n## AWS URL's \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **10x.redoxengine.com** | dashboard.redoxengine.com | UI - Frontend of Dashboard |\n|  **testapp.redoxengine.com** |  candi.redoxengine.com | API - Backend of Dashboard |\n| **testapi.redoxengine.com** |  api.redoxengine.com | API - FHIR/DataModel API |\n\n## New GCP URL's ! \n|  **Staging URL to be used**  |  Production Equivalent  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n|  **dashboard.gamma.redoxstage.com** | dashboard.gamma.redoxengine.com | UI - Frontend of Dashboard |\n|  **app.gamma.redoxstage.com** |  app.gamma.redoxengine.com | API - Backend of Dashboard |\n| **api.gamma.redoxestage.com** |  api.gamma.redoxengine.com | API - FHIR/DataModel API |\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\nWe are also highly interested in any misconfigurations in our Cloud Infrastructure, especially with our GCP resources (anything ending with `*.gamma.redoxstage.com`)\n\nWithin these, we are highly interested in the identification of any [Insecure Direct Object Reference](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) or [Broken Access Control](https://owasp.org/www-community/Broken_Access_Control) vulnerabilities\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal - Bug Bounty Program - Permissions Request](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\nSome of these features include:\n- Access to other Environments Types (Development/Staging/Production)\n- PHI Permission Flag (does not apply to Development) \n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Lack of Session Invalidation - These are known issues\n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-25T14:04:08.334Z"},{"id":3697709,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n| Production URL  |  **Test URL to be used**  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n| dashboard.redoxengine.com |  **10x.redoxengine.com** | UI - Frontend of Dashboard |\n|  candi.redoxengine.com |  **testapp.redoxengine.com** | API - Backend of Dashboard |\n| api.redoxengine.com | **testapi.redoxengine.com** | API - FHIR/DataModel API |\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\nWithin these, we are highly interested in the identification of any [Insecure Direct Object Reference](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) or [Broken Access Control](https://owasp.org/www-community/Broken_Access_Control) vulnerabilities\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal - Bug Bounty Program - Permissions Request](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\nSome of these features include:\n- Access to other Environments Types (Development/Staging/Production)\n- PHI Permission Flag (does not apply to Development) \n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Lack of Session Invalidation - These are known issues\n* Broken Link Hijacking on https://www.redoxengine.com\n* Demo Personal Identifiable Information (PII)  in `/static/js/main.*.js` or in API Actions\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-12T12:47:57.565Z"},{"id":3697662,"new_policy":"Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.  With you as an extension to our team, we can achieve that goal and ultimately protect patient data\n\n# Response Targets\nRedox will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nPlease be aware that, even if the HackerOne team has triaged a ticket, the Redox team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Evidence of duplicate reports will be provided in the form of the original ticket number and/or title of the original report\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* You must not be a current Redox colleague and contractor.  You will be considered eligible to participate in the program 6 months after termination of employment.\n\n# Test Plan\n* When creating accounts, please use your `@wearehackerone.com` address.  If separate accounts are necessary, you can [use an alias](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases).  This helps us to know that you are a researcher, not a malicious user\n* When looking for functionality to test against, we recommend referencing our Change Log for our latest additions to the product: https://www.redoxengine.com/blog/category/redox/changelog/ \n\n# Documentation\n***Note: All of our documentation is aimed at our production resources.  While testing, please ensure you are using the staging equivalents of each URL**\n\n| Production URL  |  **Test URL to be used**  | Description of Resource | \n| ------------- |  ------------- | ------------- |\n| dashboard.redoxengine.com |  **10x.redoxengine.com** | UI - Frontend of Dashboard |\n|  candi.redoxengine.com |  **testapp.redoxengine.com** | API - Backend of Dashboard |\n| api.redoxengine.com | **testapi.redoxengine.com** | API - FHIR/DataModel API |\n\n* Overall application documentation: https://docs.redoxengine.com/ \n* FHIR API: https://docs.redoxengine.com/basics/redox-fhir-api/ \n* Datamodel API: https://docs.redoxengine.com/basics/redox-data-model-api/introduction-to-the-redox-data-model-api/  \n* Platform API: https://redox-platform-api.readme.io/reference/authentication \n\n# What are we looking for?\nWe are primarily looking for issues on our ***Critical***  application resources which are as follows: \n- 10x.redoxengine.com\n- testapp.redoxengine.com\n- testapi.redoxengine.com\n\nWithin these, we are highly interested in the identification of any [Insecure Direct Object Reference](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) or [Broken Access Control](https://owasp.org/www-community/Broken_Access_Control) vulnerabilities\n\n## Elevated Privileges for HackerOne Testers\nAs you dive into [https://10x.redoxengine.com](10x.redoxengine.com) (our main dashboard), you will likely create an Organization to test.  We lock certain features behind tiers, but we can elevate your Organization if you provide us with the info in this form :\n- [Redox Service Portal - Bug Bounty Program - Permissions Request](https://redoxengine.atlassian.net/servicedesk/customer/portal/20/group/112/create/520 )\n\nSome of these features include:\n- Access to other Environments Types (Development/Staging/Production)\n- PHI Permission Flag (does not apply to Development) \n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Any activity that could lead to the disruption of our service (DoS).\n* Rate limiting or bruteforce issues on non-authentication endpoints and our external Help Desk forums (such as https://redoxengine.atlassian.net/servicedesk/customer/portals )\n* Removing all organization owners from the organization (or demoting all users to a \"basic user\" role)\n* Creating an organization with the same name as an existing organization \n* Lack of Session Invalidation - These are known issues\n\n## *Special Note on Denial of Service (DoS)*\n*DoS Vulnerabilities are out of scope of this program (ie. any attack requiring more than a small number of resources). DoS vulnerabilities which cause application \"slowdown\" will be considered Informational, unless the researcher can demonstrate that the bug is severe enough to disable OTHER sessions and site functionality without a large number of resources. Bugs which cannot clearly show the impact on OTHER users without significant resources will be considered DDoS.*\n\n*We utilize a Web Application Firewall (WAF) for rate limiting on resources:* \n- *one for API traffic with a high rate-limit (5000/5min/per IP)* \n- *one for HTTP traffic with a lower rate-limit (500/5min/per IP)*\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nThank you for helping to secure Redox!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-11T16:06:51.469Z"}]