Help Us KeepHealthcare Secure
Join our bug bounty program and help protect millions of patients' health data. We reward security researchers who responsibly disclose vulnerabilities in our systems.
Program Overview
Our bug bounty program is designed to identify and address security vulnerabilities in our healthcare platform through collaboration with ethical security researchers.
Responsible Disclosure
We believe in working together with the security community to protect our users.
Fair Rewards
Competitive bounties based on vulnerability severity and potential impact.
Legal Protection
Safe harbor provisions protect researchers acting in good faith.
Fast Response
We acknowledge reports within 24 hours and provide regular updates.
Why Partner with RGHS Security?
We're committed to maintaining the highest security standards for healthcare data. Your contributions help protect millions of patients and healthcare providers worldwide.
Scope & Rules
Clear guidelines on what's included in our bug bounty program and the rules researchers must follow when testing our systems.
In Scope
Web Applications
- *.rghs.com and all subdomains
- Patient portal and dashboard
- Provider portal and EHR system
- API endpoints and GraphQL interfaces
- Authentication and authorization systems
Mobile Applications
- RGHS Patient Mobile App (iOS/Android)
- RGHS Provider Mobile App (iOS/Android)
- Deep linking and URL schemes
- Push notification systems
- Offline data storage mechanisms
Infrastructure
- Cloud infrastructure misconfigurations
- Database security vulnerabilities
- Network security issues
- Container and Kubernetes security
- CI/CD pipeline security flaws
Out of Scope
Program Rules
Testing Guidelines
- Do not access, modify, or delete user data
- Do not perform actions that could harm system availability
- Use only test accounts you create yourself
- Do not perform testing on production systems during peak hours
- Limit automated testing to avoid system overload
Responsible Disclosure
- Report vulnerabilities only to security@rghs.com
- Allow reasonable time for remediation before disclosure
- Do not publicly disclose vulnerabilities before approval
- Provide detailed reproduction steps and proof of concept
- Act in good faith and avoid privacy violations
Legal Compliance
- Comply with all applicable laws and regulations
- Respect user privacy and data protection laws
- Do not violate terms of service of third-party systems
- Report findings only through official channels
- Maintain confidentiality of discovered vulnerabilities
Important Notice
Violation of program rules may result in immediate disqualification from the bug bounty program and potential legal action. Always follow responsible disclosure practices and respect user privacy.
Reward Structure
Our rewards are based on the severity and impact of discovered vulnerabilities, with additional bonuses for high-quality reports and exceptional findings.
Vulnerabilities that could lead to complete system compromise or massive data breach
Examples:
- Remote code execution on production servers
- SQL injection leading to database compromise
- Authentication bypass affecting all users
- Direct access to sensitive patient data
Significant security flaws that could compromise user accounts or sensitive data
Examples:
- Privilege escalation vulnerabilities
- Stored XSS affecting multiple users
- Insecure direct object references to PHI
- CSRF attacks on critical functions
Moderate security issues that could affect individual users or system integrity
Examples:
- Reflected XSS vulnerabilities
- Information disclosure issues
- Session management flaws
- Business logic vulnerabilities
Minor security issues with limited impact but valuable for overall security posture
Examples:
- Missing security headers
- Information leakage in error messages
- Weak password policies
- Minor configuration issues
Bonus Multipliers
Quality of Report
Detailed reproduction steps, proof of concept, and suggested fixes
First Discovery
First person to report a specific vulnerability class
Impact Demonstration
Clear demonstration of real-world impact and exploitation
Fix Contribution
Providing code patches or detailed remediation guidance
Payment Timeline
- Initial triage within 24 hours
- Severity assessment within 5 business days
- Reward determination within 10 business days
- Payment processed within 30 days of resolution
Payment Methods
- Bank transfer (preferred)
- PayPal for international researchers
- Cryptocurrency (Bitcoin, Ethereum)
- Charitable donation (upon request)
Tax Considerations
- Tax forms provided for US researchers
- International compliance handled per country
- Researcher responsible for tax obligations
- Consultation available for tax questions
Total Rewards Available
Annual budget dedicated to rewarding security researchers who help us maintain the highest security standards for healthcare data protection.
Submission Process
Follow our streamlined process to report vulnerabilities and receive rewards. We've designed this process to be efficient and transparent for all researchers.
Discovery & Testing
Identify potential vulnerabilities following our scope and rules
- Review in-scope systems and applications
- Perform testing within established guidelines
- Document findings with screenshots/evidence
- Verify vulnerability impact and reproducibility
Report Submission
Submit detailed vulnerability report through our secure portal
- Use our submission form with all required fields
- Include detailed reproduction steps
- Provide proof of concept where applicable
- Classify severity based on our guidelines
Initial Triage
Our security team reviews and acknowledges your submission
- Acknowledgment within 24 hours
- Initial assessment of severity and scope
- Request for additional information if needed
- Assignment to appropriate security engineer
Validation & Assessment
Detailed analysis and validation of the reported vulnerability
- Reproduction of the vulnerability by our team
- Impact assessment and risk analysis
- Severity classification and reward determination
- Development of remediation plan
Resolution & Reward
Vulnerability fix implementation and reward processing
- Security patch development and testing
- Deployment to production systems
- Final reward calculation including bonuses
- Payment processing and Hall of Fame addition
Secure Email
SecurePrimary contact for vulnerability reports
PGP Encrypted
SecureFor highly sensitive vulnerability reports
Emergency Hotline
For critical vulnerabilities requiring immediate attention
By submitting a report, you agree to our bug bounty program terms and responsible disclosure policy.
Security Hall of Fame
Recognizing the outstanding security researchers who have contributed to making RGHS safer for millions of healthcare users worldwide.
Alex Chen
@alexsec
Sarah Martinez
@sarahfinds
David Kumar
@dkumar_sec
Emma Thompson
@emma_hacks
Michael Zhang
@mzhang_bug
Lisa Anderson
@lisa_secure
Recent Achievements
First Critical Find
$25,000Discovered the first critical vulnerability in our new patient portal
Mobile Security Champion
$18,500Found 5 high-severity vulnerabilities in our mobile applications
API Security Master
$15,200Comprehensive API security assessment with detailed remediation guide
Researcher Badges
Elite Researcher
1 awardedMobile Expert
1 awardedAPI Specialist
1 awardedInfrastructure Pro
1 awardedAuth Expert
1 awardedDatabase Guardian
1 awardedQuality Reporter
12 awardedFast Responder
8 awardedJoin Our Security Community
Become part of an elite group of security researchers helping protect healthcare data. Your contributions make a real difference in patient safety and data security.