Centers for Medicare & Medicaid Services - Public Bug Bounty Program 2025
External Program
Submit bugs directly to this organization
Centers for Medicare & Medicaid Services - Public Bug Bounty Program 2025
External Program
Submit bugs directly to this organization
Last Updated :02 Jan 2026 17:56:28 GMT+0[/engagements/cms-bbpublic/changelog/18412e9b-a5c1-465e-a18c-a2d15235af30](View changes)
The goal of the 2025 CMS Bug Bounty is to improve the security posture of CMS information systems by proactively identifying and mitigating vulnerabilities prior to adversarial exploitation through monetary incentives for security research.
This engagement invites security researchers to mimic hacker behavior to identify and report on vulnerabilities in select CMS systems. This approach provides an additional layer of scrutiny beyond CMS’ internal security tools and practices. Researchers with diverse expertise also apply new, innovative and different methods to identifying vulnerabilities.
The bounty for each vulnerability is set on a sliding scale according to criticality. Details on the bounties can be found below.
In addition to adherence to the rules of 2025 CMS Bug Bounty, researchers must meet additional criteria. The vendor will ensure compliance with CMS requirements during participation.
This is a public program. Anyone may submit vulnerabilities for consideration, but bounty payments are subject to eligibility requirements. CMS and the vendor (Bugcrowd) do not conduct background checks. Instead, eligibility is enforced through sanctions screening, platform restrictions, researcher attestation, and payout controls.
Researchers must meet the following:
Citizenship/ Residency: Researchers may participate regardless of citizenship they may not hold citizenship from, or reside in the following countries: Afghanistan, Central African Republic, China, Cuba, Cyprus, Democratic Republic of Congo, Eritrea, Haiti, Iran, Iraq, Lebanon, Libya, North Korea, Russia, Somalia, South Sudan, Sudan, Syria, or Zimbabwe.
Watch List: Researchers may not appear on the U.S. Treasury’s “Specially Designated Nationals” (SDN) list.
Criminal Background: Researchers must attest that they have not been convicted of a felony or misdemeanor. No background checks will be performed; this requirement is enforced through attestation and payout controls.
Experience: Researchers of all levels of experience are welcome.
Affiliation: If a current Federal employee or contractor, researchers may need Counsel consultation and approval. Current CMS Federal employees and contractors may not participate in the 2025 CMS Bug Bounty.
Equipment: Must be done on personally owned devices.
Skills: Researchers must possess the knowledge, skills, and abilities most applicable and valuable for the goals of the engagement and the specific assets and areas of focus.
Νote: Submissions from ineligible participants may still be reviewed for security value, but bounty payments will only be issued if the researcher meets the eligibility requirements above.
To be eligible for rewards, all reports must include a POC that can be replicated by authorized Bugcrowd and CMS personnel.
All information required to reproduce each vulnerability must be submitted prior to the program closing. Any reports requiring more information after the program has ended will not be considered for a reward.
CMS will evaluate the plausibility, existence, and status of vulnerabilities submitted for bounties and reserves the right to make all decisions regarding vulnerability validity, status, and eligibility for bounty payment. CMS reserves the right to end the payment of bounties at any time. Bounty awards will be prioritized based on the submission timestamp for the initial instance of each unique vulnerability.
Findings already documented or known to the CMS team will not be eligible for bounty payments.
Duplicates: Researchers are encouraged to report all vulnerabilities that they find and to re- test after CMS has remediated the issue. Additional bounties will not be awarded for retesting the same vulnerability unless new or related issues are discovered. Vulnerabilities that share the same root cause and affect multiple sections or areas of a website will be treated as duplicates. In such cases, only the first instance of the vulnerability will be eligible for a bounty, though reporting additional instances is still encouraged to support comprehensive remediation efforts. A global fix is recommended to address the root cause across all affected sections.
For the initial prioritization/rating of findings, this program will use the [https://bugcrowd.com/vulnerability-rating-taxonomy](Bugcrowd Vulnerability Rating Taxonomy). However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
The bounty for each vulnerability is set on a sliding scale according to criticality.
Priority | Impact | Vulnerability Examples | Bounty Amount |
P1 | Provide proof that a vulnerability is present on an in-scope asset | Command Injection, SQL Injection, Remote Code Execution | $5,000 - *$7,000 |
P2 | Provide proof that a vulnerability is present on an in-scope asset | Directory Traversal, Poor Encryption Standards | $2,500 - $3,500 |
P3 | Provide proof that a vulnerability is present on an in-scope asset | Reflective XXS with impact, Direct Object Reference, URL Redirect, CSRF with impact | $1,000 - $2,500 |
P4 | Provide proof that a vulnerability is present on an in-scope asset | SSL Misconfigurations with little impact, SPF configuration problems, XSS with limited impact, CSRF with limited impact | $250 - $500 |
Critical: $5,000 – $7,000 Critical submissions are evaluated based on real-world impact. Findings that expose PII or PHI may qualify for payouts up to $7,000 only when associated with designated, high-impact URLs (T-MSIS, MACFIN, FFM). These URLs are considered hard targets due to restricted access, unique backend dependencies, or role-based authorization requirements. Although they may appear similar to public endpoints, their behavior and data exposure differ depending on environment or user privileges. Vulnerabilities confirmed on these designated URLs may receive higher rewards due to the elevated testing complexity and data sensitivity involved. These URLs are currently out of scope but will be added in February 2026 to align with the enrollment period.
Out of scope
Name / Location | Tags | Known issues | ████████████████████████████████████████████████████████████████████████████████████ | | █████████████████████████████████████████████████ | | ███████████████████████████ | | ██████████████████████████████████ | | ███████████████████████████████████████████ | | ████████████████████ |
Testing is authorized only on the targets explicitly listed as in scope. All systems and services
associated with those domains, including their subdomains, are in scope unless explicitly
excluded.
Websites that are CMS-owned or CMS-managed and link to this policy are also considered in
scope.
Additional Clarifications and Examples:
Vendor-operated or third-party systems are excluded from this program, even if:
They are linked from CMS.gov or other CMS websites.
Any vulnerabilities discovered in these systems should be reported directly to the vendor through their disclosure policy (if available). No bounty will be awarded for these findings.
Third-Party Platforms: Systems hosted or operated by vendors such as Salesforce, ServiceNow, or Atlassian (e.g., *.my.site.com, *.service-now.com, *.atlassian.net).
Linked Vendor Sites: Contractor-managed resources linked from CMS.gov, including FAQs, training materials, or help centers, remain out of scope.
Vendor Systems Using CMS Credentials: External vendor platforms that allow login with credentials are excluded unless explicitly listed as in scope.
These reports should be directed to the vendor in accordance with their disclosure policy (if any).
Any CMS domain or asset not listed below is out of scope. If a security researcher identifies a vulnerability in a system outside the scope, they are encouraged to report the issue through the vendor’s reporting mechanism. However, no bounty will be paid forsuch reports. The vendor may be able to assist with the reporting of these vulnerabilities.
Targets may be added or removed while the program is active, though changes are typically made during designated pause windows. These windows allow CMS and Bugcrowd to reassess scope, adjust priorities, and refine test focus areas.
The following are not eligible for bounties:
Findings already documented or known to the CMS team will not be eligible for bounty payments.
Duplicates: Researchers are encouraged to report all vulnerabilities that they find and to re- test after CMS has remediated the issue. Additional bounties will not be awarded for retesting the same vulnerability unless new or related issues are discovered. Vulnerabilities that share the same root cause and affect multiple sections or areas of a website will be treated as duplicates. In such cases, only the first instance of the vulnerability will be eligible for a bounty, though reporting additional instances is still encouraged to support comprehensive remediation efforts. A global fix is recommended to address the root cause across all affected sections.
Any findings discovered outside of the Scope. These may be reported through the CMS Vulnerability Disclosure Program https://bugcrowd.com/engagements/cms-vdp.
CMS will not provide test accounts, temporary credentials, or privileged access of any kind to external security researchers. All testing must be performed externally using only publicly accessible functionality. No VPN, privileged access, or internal accounts will be provided.
CMS cannot provide test accounts. Any submission requiring a test account to validate the vulnerability will be forwarded to the relevant system team for validation. This process may introduce some delays, but CMS will work to complete validation as quickly as possible.
Researchers are prohibited from using leaked, breached, or exposed credentials to access CMS systems, even if discovered via open sources. Any attempt to log into systems using such credentials will be considered out of scope and a potential violation of federal policy. Submissions based on login or account takeover from third-party leaks (e.g., Telegram, data dumps) will be rejected.
Vulnerabilities supported by data from private, invite-only, or unauthorized sources (e.g., Telegram groups, breach forums) are not accepted. Only information gathered from publicly accessible and legally obtained sources is permitted.
Theoretical vulnerabilities
Informational disclosure of non-sensitive data
Low-impact session management issues
Self-XSS (user-defined payload)
*https://www.eqrs.cms.gov and all related subdomains, APIs, and supporting services.
*https://www.portalval.cms.gov (T-MSIS, MacFin, FFM)
*https://www.cuidadodesalud.gov/es
*https://developer.cms.gov/marketplace-api/
Scope of Findings: Sensitive vs. Non-Sensitive Data
pose a security or privacy risk, such as general trends, findings, or procedural information, is also not valid for reporting under this engagement. Duplicate findings on public documents will not be accepted unless new sensitive data is identified.
Sensitive Data Considerations: Findings involving sensitive data, such as the following, are considered valid:
Personally Identifiable Information (PII): PII is any data that could individually or, when combined with other elements, identify a consumer. Examples include a consumer’s name, address, telephone number, Social Security Number, Marketplace application ID, or other identifiers. Consumers have the right to access, inspect, and/or correct their PII upon request. Assisters, such as Navigators or certified application counselors, are only permitted to create, collect, disclose, access, maintain, store, and use consumer PII for authorized purposes or with the consumer’s informed consent.
Name
Birth date
Social Security number
Alien Registration Number
Home address
Email address
Phone number
Electronic or paper federal tax returns (e.g., 1040, 941, 1099, 1120, and W2)
Medicaid/CHIP eligibility status
Citizenship or immigration status
Applicant ID
Household income
Qualified health plan (QHP) eligibility status
Advanced payments of the premium tax credit/cost-sharing reduction (APTC/CSR) eligibility status
Spoken and written language preference
Tobacco usage
Common identifiers, such as name, address, birth date, and Social Security Number
Information about the patient’s past, present, or future physical or mental health condition
Details on healthcare services provided to the patient
Information regarding past, present, or future payment for the healthcare provided to the patient
Financial Information: Bank account numbers, credit card details, tax information, and financial transaction records.
Authentication Data: Passwords, PINs, and security questions/answers used for system access.
Government Data: Classified information and national security-related data.
To be provided safe harbor as described below, researchers must read and agree to abide by the guidelines in this ROE.
Operational Monitoring and Defensive Controls
As part of routine security operations and service reliability monitoring, CMS may request limited testing metadata, such as source IP addresses or general testing windows, for certain classes of activity (for example, rate-limiting or availability-related testing).
This information is requested solely to support correlation with infrastructure logs and security telemetry. It is not used for researcher attribution, investigation, enforcement actions, or vulnerability validation.
Independent of the bug bounty program, CMS defensive systems (including WAFs, SOAR automation, and SOC controls) may automatically respond to traffic patterns that appear volumetric, abusive, or disruptive, in accordance with standard security practices.
Immediately cease all actions if and/or when a system is removed from scope
Respect the periods of availability and blackout dates. Any vulnerabilities discovered or reported during blackout dates or after a system has been removed from scope will not be eligible for bounties
Avoid destructive or disruptive actions to CMS information systems and operations
Refrain from exploiting any vulnerability beyond the minimal amount of testing required to prove its existence or to identify a related indicator. This means that researchers must:
STOP from exploiting any vulnerability if successfully able to move laterally or vertically. Provide details of exploit and await approval to proceed with escalation
Avoid intentionally accessing the data, information transiting or stored on CMS information systems, or content of any communications, except that which is directly related to a vulnerability and access is necessary to prove that the vulnerability exists. If a researcher encounters sensitive information, they must immediately stop and report within the confines of the program
Refrain from exfiltration of data under any circumstances. This includes screenshots that may include sensitive data.
Avoid intentionally compromising anyone’s privacy or safety
Avoid intentionally compromising the intellectual property or other commercial or financial interests of any CMS personnel or entities or any legitimate third parties
Refrain from disclosing any details or information outside the terms agreed upon by CMS per the ‘Coordinated Disclosure’ provision below. Researchers must obtain explicit permission from CMS prior to disclosure of any results of a submission
Understand that any original submissions may be subject to separate disclosure by CMS under the Freedom of Information Act (FOIA)
Test in-scope CMS information systems in order to detect the vulnerability or identify an indicator related to the vulnerability for the sole purpose of providing [CMS] information about such vulnerability.
Report a product vulnerability to the affected vendor or a third-party vulnerability coordination service if a vulnerability is discovered in a CMS information system consequent to the product vulnerability or in a generally available product in order to enable the product to be fixed.
Use leaked credentials to test or login to any accounts that do not belong to them
Employ Distributed Denial of Service (DDOS)
Employ social engineering attacks, such as phishing, attempts to compromise passwords, or any distribution of malware
Attempt lateral movements to other systems
Attempt to bypass or disable rate limiting controls, or conduct stress testing. These protections are in place to ensure system stability and prevent unintentional Denial of Service (DoS).
Attempt to physically access a CMS or hosting provider facility
Test any systems or vulnerabilities not in scope
In conjunction with this ROE, the Information Security and Privacy Group commits to allowing researchers to publish mutually agreed information regarding a vulnerability after it has been remediated. CMS requires all researchers to obtain explicit permission from CMS prior to disclosing any knowledge gathered from this engagement, including vulnerabilities, indicators of vulnerabilities, data, architecture, or other system-related information. This applies to all the submissions for the program, regardless of validity or acceptance.
For any vulnerability discovered through this engagement to be disclosed, all parties (CMS, the Information Security and Privacy Group, and security researcher) must agree upon the date of disclosure and the disclosure level (i.e., limited or full) and the method of disclosure. Once the vulnerability or exploit is made public by CMS, the researcher may disclose the vulnerability or exploit publicly if it adheres to the agreed level of disclosure—limited or full—and any other parameters agreed upon for the disclosure.
If a researcher makes a good faith effort to comply with these ROE, CMS considers their actionsto be:
Authorized under the Computer Fraud and Abuse Act (CFAA) (and/or similarstate laws related to authorized access on information systems), and CMS will not recommend or pursue legal action against security researchers for accidental and good faith violations of this policy;
Authorized and therefore CMS will not bring a claim against the researcher underthe Digital Millennium Copyright Act (DMCA) for circumvention of technology controls; and
Exempt from restrictions in relevant Terms & Conditions that would interfere with security research conducted in accordance with this policy, and CMS will waive those restrictions on a limited basis for work done under this policy.
Lawful, helpful to the overall security of the Internet, and conducted in good faith as stated in the CMS Vulnerability Disclosure Policy (VDP). Researchers are expected to comply with all applicable laws and operate in good faith.
[/engagements/cms-bbpublic/announcements](View all announcements)
JC announced Program Announcement - Effective Immediately
We are temporarily pausing this bug bounty program and are not accepting new submissions at this time. Any submissions received after this notice will be treated as out of scope.
We appreciate your understanding and will provide an update once the program is ready to resume.
More
JC announced EUA.CMS.GOV and EUA.CMS.GOV/EFI are now out of Scope
Any pending submissions submitted before the out of scope changes will be reviewed and processed accordingly.
If you have any questions on the change in the scope, please [https://bugcrowd-support.freshdesk.com/support/tickets/new](create a ticket with Bugcrowd Support) to get them answered.
Thank you!
More
JC announced EUA.CMS.GOV and EUA.CMS.GOV/EFI are now out of Scope
Any pending submissions submitted before the out of scope changes will be reviewed and processed accordingly.
If you have any questions on the change in the scope, please [https://bugcrowd-support.freshdesk.com/support/tickets/new](create a ticket with Bugcrowd Support) to get them answered.
Thank you!
More
[/engagements/cms-bbpublic/crowdstream](View all CrowdStream activity)
Submission accepted on target: https://csscoperations.com
By Private user
Engagement Centers for Medicare & Medicaid Services - Public Bug Bounty Program 2025
Priority P3Accepted on 7 Jan 2026
Submission accepted on target: https://csscoperations.com
By Private user
Engagement Centers for Medicare & Medicaid Services - Public Bug Bounty Program 2025
Reward $2,500
Priority P3Accepted on 7 Jan 2026
Submission accepted on target: *eua.cms.gov
https://bugcrowd.com/h/0x3bdal7alim[/engagements/cms-bbpublic/hall_of_fames](Hall of Fame)
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please visit [https://bugcrowd-support.freshdesk.com/support/tickets/new](Bugcrowd Support) and create a support ticket. We will address your issue as soon as possible.
This engagement follows Bugcrowd’s [https://www.bugcrowd.com/resource/standard-disclosure-terms/](standard disclosure terms.)
Vulnerabilities found in this engagement requires explicit permission by selecting the disclosure request option on your submission. For more information please review the [https://docs.bugcrowd.com/researchers/disclosure/disclosure/#f-coordinated-disclosure](Public Disclosure Policy).