<aside> ⚠️ Contact about security issues and our bug bounty program should be via [email protected]. Contact with other team members will be redirected to [email protected] for communications and resolution

</aside>

Document Version: 1.0.1 Last Updated: 09/06/2023

Introduction

  1. Perx Health is committed to ensuring the security and integrity of our systems and applications. As part of our ongoing efforts to identify and address potential vulnerabilities, we are launching a bug bounty program to encourage security researchers and ethical hackers to responsibly disclose any security issues they discover. This document outlines the eligibility criteria, scope, and rewards associated with our bug bounty program.

Eligibility

  1. Our bug bounty program is open to individuals and organizations worldwide, subject to the following eligibility requirements:
    1. Age:
      1. Participants must be at least 18 years old.
    2. Compliance:
      1. Participants must comply with all applicable laws and regulations.
    3. Disclosure:
      1. Participants must disclose to Perx Health if they intend to participate in the program before engaging in any activity.
    4. Reporting
      1. Participants must report any and all vulnerabilities found, regardless of reward category.
    5. No Conflict of Interest:
      1. Participants must not have any conflicts of interest that could compromise the security or reputation of Perx Health.
    6. No Unauthorized Access:
      1. Participants must not attempt to gain unauthorized access to any data, systems, or networks other than those explicitly included in the scope of the program.

Scope

  1. The bug bounty program covers security vulnerabilities found in the following assets:
    1. Web Applications:
      1. portal.perxhealth.com
      2. dashboard.perxhealth.com
      3. my.perxhealth.com
      4. gday.perxhealth.com
      5. hello.perxhealth.com
    2. Mobile Applications:
      1. iOS Application (com.perxhealth.Perx)
      2. Android Application (com.perxhealth.android)
    3. APIs:
      1. api-au.staging.cloud.perxhealth.com
      2. api-us.staging.cloud.perxhealth.com
      3. connect-au.qa.cloud.perxhealth.com
      4. connect-us.qa.cloud.perxhealth.com
  2. Note: All other Perx Health assets not mentioned are explicitly out of scope.
    1. Any security vulnerabilities disclosed in other assets may be rewarded at the discretion of Perx Health.

Vulnerability Categories

  1. The following vulnerability categories are within the scope of our bug bounty program:
    1. Current OWASP Top Ten https://owasp.org/www-project-top-ten/
    2. Cross-Site Scripting (XSS)
    3. Cross-Site Request Forgery (CSRF)
    4. Remote Code Execution (RCE)
    5. Server-Side Request Forgery (SSRF)
    6. SQL Injection (SQLi)
    7. Authentication or Authorization Issues
    8. Privilege Escalation
    9. Information Disclosure
    10. Remote File Inclusion (RFI) / Local File Inclusion (LFI)
    11. Other Critical Security Vulnerabilities as determined by Perx Health after verification.

Reporting Guidelines

  1. To be eligible for a reward, participants must adhere to the following reporting guidelines:
    1. Submitting Reports:
      1. All vulnerability reports must be submitted through our designated bug bounty platform or email address ([email protected]).
    2. Detailed Reports:
      1. Reports should be detailed, providing a clear explanation of the vulnerability, the potential impact, and steps to reproduce the issue.
    3. Supporting Material:
      1. Screenshots, proof-of-concept code, and any other supporting material should be provided to help reproduce and understand the vulnerability.
    4. Confidentiality:
      1. Participants must not disclose or share any vulnerability details with third parties without explicit permission from Perx Health.
    5. Responsible Disclosure:
      1. Participants should refrain from exploiting any vulnerabilities beyond what is necessary to demonstrate the issue.

Rewards

  1. Our bug bounty program offers rewards based on the severity of the reported vulnerability. The severity levels and corresponding rewards are as follows (All amounts in USD):
    1. Critical:
      1. Up to $8000 for severe vulnerabilities that could lead to significant compromise of data or systems.
    2. High:
      1. Up to $2500 for vulnerabilities with a high impact on security.
    3. Medium:
      1. Up to $750 for vulnerabilities with a moderate impact on security.
    4. Low:
      1. Up to $250 for vulnerabilities with a low impact on security.
  2. Note: The reward amounts are subject to review and may be adjusted based on the severity and impact of the reported vulnerabilities at the discretion of Perx Health.

Program Exclusions

  1. The following activities and vulnerabilities are specifically excluded from our bug bounty program:
    1. Social engineering or phishing attacks.
    2. Physical attacks against our facilities or employees.
    3. Denial of Service (DoS) attacks.
    4. Attacks or vulnerabilities of non-production or end-of-life systems.
    5. Vulnerabilities already reported by another participant.
    6. Vulnerabilities in third-party applications not directly maintained by Perx Health.

Legal Considerations