KHealth
Bounty Range
$100 - $2,500
external program
Program guidelines
Platform StandardsFully compliant with Platform Standards. [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8](
)
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
Managed by HackerOneCollaboration EnabledIncludes Retesting
10 hours Average time to first response
2 days, 7 hours Average time to triage
1 month, 2 weeks Average time to bounty
1 month, 3 weeks Average time from submission to bounty
2 months, 1 week Average time to resolution
Last updated on October 13, 2025. [/khealth/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
LowAvg. bounty $10014.93% submissions
MediumAvg. bounty n/a55.22% submissions
HighAvg. bounty n/a25.37% submissions
CriticalAvg. bounty n/a4.48% submissions
LowAvg. bounty $10014.93% submissions
MediumAvg. bounty n/a55.22% submissions
HighAvg. bounty n/a25.37% submissions
CriticalAvg. bounty n/a4.48% submissions
Tier 2
$100
$200
$500
$2,500
Tier 1
$150
$400
$2,500
$6,000
We currently work with a tier-based bounty reward table. Reward height per tier can be found in the table above.
Asset | What it is | [https://play.google.com/store/apps/details?id=ai.kanghealth](K Health Android app) | Mobile app | [https://apps.apple.com/se/app/id1180400838](K Health iOS app) | Mobile app | [https://play.google.com/store/apps/details?id=org.hartfordhealthcare.hhc247](HHC 24/7 Android app) | Mobile app | [https://apps.apple.com/us/app/hhc-24-7/id6741442288](HHC 24/7 iOS app) | Mobile app | start.khealth.com | Web app | auth.hhc247.org | Web app | app.khealth.com | Web app | ask.khealth.com | Web app | auth.khealth.com/cedars/sign-up | Web app | auth.khealth.com/khealth/sign-up | Web app | auth.khealth.com/mayo-la-crosse/sign-up | Web app | accounts.khealth.com | API | api.khealth.com | API | api.khealth.com/graphql | GraphQL API | clinical-quality.khealth.com/api/v1 | API | eligibility.khealth.com | API | payme-service.khealth.com/api/v3/API | API | salesforce.khealth.com | API | treatment-plan-service.khealth.com | API |
This tier is for assets not named above.
Asset | What it is | *.khealth.com | Entire domain | *.khealth.io | Entire domain | *.kpharmacyllc.com | Entire domain | help.khealth.com | Web app |
Assets containing dev, stg, or staging are out of scope
Subdomain careers.khealth.com and URL khealth.com/careers are out of scope
Domain hhc247.org is out of scope (except for subdomains explicitly mentioned in the tiers above)
All coupon and/or discount related findings are out of scope
All third party applications and components are out of scope
All techniques mentioned as Out of Scope under the Scope section
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
Last updated on January 14, 2026. [/khealth/policy_versions](View changes
)
K Health [Inc.]’s (“K Health”, “we”, “us” or “our”) mission is to use the power of shared knowledge to provide everyone with access to better, more affordable healthcare. We offer our users healthcare information based on the similar health experiences of others, or “People Like Me” as we like to call them. We also provide primary care and mental health services, enabling people to begin treatment without needing to physically visit a healthcare professional.
Our mobile application is freely available for download for Android and iOS so it’s vitally important for us to identify any vulnerabilities that might compromise our customers’ data and confidence in the protective measures we have put in place to safeguard it. We are excited to run this bug bounty program in parallel to our periodic penetration testing program to maintain a constant watch on our cyber posture and improve our security. K Health looks forward to working with the security community to find security vulnerabilities as part of our effort to keep our business and data safe.
As detailed in the Response Target section of the program.
You must be 18 or older to receive payment for an award. Payments for bugs found by individuals younger than 18 must be made to a parent or guardian. This Program is not open to individuals who reside in Lebanon, Cuba, Iran, North Korea, Syria, Crimea, Donetsk, Luhansk, Kherson and Zaporizhzhia regions of Ukraine. K Health current or former employees, contractors, consultants and their families are not eligible for rewards.
You must submit your Report as soon as you discover a potential vulnerability. By submitting the vulnerability, you confirm that you have not disclosed the vulnerability and agree not to disclose it, or your submission, to anyone outside this Program, following the process set forth in the Program.
Don’t publicly disclose a vulnerability without our consent. Disclosing a vulnerability without K Health's prior written consent would violate the Program and Policy. You understand and agree that monetary damages would not be a sufficient remedy for any breach of this paragraph by you, and that K Health is entitled to seek any remedy, including injunctive relief, in addition to all other legal or equitable remedies available to K Health.
Vulnerability Disclosure Process. The contents of the Report will be made available to the Security Team immediately, and will initially remain non-public to allow the Security Team sufficient time to publish a remediation. After the Report has been closed, Public disclosure may be requested by either the Finder or the Security Team.
Mutual agreement. HackerOne encourages the Finder and Security Team members to remain in open communication regarding disclosure timelines. If both parties are in agreement, the contents of the Report can be made public on a mutually agreed timeline.
Protective disclosure. If the Security Team has evidence of active exploitation or imminent harm, they may immediately provide remediation details to the public so that users can take protective action.
Private Program. Your participation in this private Program is entirely optional and subject to strict non-disclosure by default. Prior to participating in this private Program, Finders should carefully review any program policies and non-disclosure agreements required for participation.
Finders that intend any form of public disclosure not in compliance with the above should not participate in private Programs. Finders are advised to exercise good judgment, as any safe harbor afforded by the Program Policy may not be available.
By submitting a Report in the Program, you agree to all Program Terms and Conditions, and you give us the right to use your Report for any purpose and you: Grant K Health the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sublicensable license to the intellectual property in your Report: (i) to use, review, assess, test, and otherwise analyze your Report; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Report and all its content, in whole or in part; and (iii) to feature your Report and all of its content in connection with the marketing, sale, or promotion of this Program in all media (now known or later developed); Agree to assist us in enforcing the rights granted above and sign any documentation that may be required to confirm the rights granted above; Understand and acknowledge that K Health may have developed or commissioned materials similar or identical to your Report, and you waive any claims you may have resulting from any similarities to your Report; Understand that you are not guaranteed any payment or compensation for use of your Report; and Represent and warrant that your Report is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Report to K Health. Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive recognition at the sole discretion of K Health. Eligibility for rewards, including the determination of the recipients and reward amount is left up to the sole discretion of K Health.
All information you receive or collect about K Health, its affiliates or any users, employees or agents in connection with the Program (“Confidential Information”) must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including any information regarding your Report, without K Health’s prior written consent. You must get such written consent by submitting a disclosure request to K Health through the HackerOne platform.
Hackers may not initiate a session with a medical professional.
Please provide detailed reports with careful manual validation and reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Please do not share reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability.
We want you to search for bugs, not user data. If you encounter user information during your testing (e.g, Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or other confidential information), stop immediately and notify us through HackerOne. Further guidance will be provided along with a bounty in accordance with this Policy.
Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Bugs of similar nature or root cause reported by the same person may be combined into one item, thus constituting only a single award.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Chaining of bugs is not frowned upon in any way, we love to see clever exploit chains! However, if you have managed to compromise K Health’s environment, please do not escalate by port scanning internal networks, attempting to escalate privileges, or attempting to pivot to other systems, etc. If you do acquire this level of access to an asset please report it to us, and we will reward you with an appropriate bounty taking into full consideration the severity of what could be done. Chaining a CSRF vulnerability with a self XSS? Nice! Using AWS access key to dump sensitive info? Prohibited.
Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.
Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.
Don’t leave systems in a more vulnerable state.
Don’t take any action that could impact the performance or availability of K Health.
Don’t make copies of K Health's private production data as “proof”. The report should suffice as proof of impact.
Be respectful of our team.
Verify your target, do not attack any 3rd party supporting K Health services
Do not impact K Health customers in any way
Visit https://khealth.com/
Click get started in the top right of the screen
Visit App stores and install Android or iOS app, or visit the web app
https://apps.apple.com/us/app/k-health-telehealth/id1180400838
The web application can be found at https://app.khealth.com (most functionality is only available on the mobile apps)
The APIs are listed below in the asset list
Provide your HackerOne @wearehackerone.com email address if requested, for verification. The main reason for doing so is that in case of need, our team will know you are from HackerOne and have no malicious intentions.
In the app chat, when asked "what brought you here today?" please make sure to select "I just wanted to try this out".
Hackers are invited to test the application’s functionality, up to the point and excluding any sort of engagement or interaction with a medical professional (e.g. doctor, nurse, pharmacist). For example, setting an appointment to chat with a clinician / doctor is out of scope.
Header: In order to separate HackerOne hacker traffic from real user traffic, K Health requires that you include a unique string in the User-Agent of every HTTP request made by yourself or any tooling you use. Append the string (h1) to your user-agent as follows: - User-Agent: [..] (h1)
Email: When registering, please make sure to use your @wearehackerone.com email address.
Any activity that could lead to the disruption, latency or denial of our service (DoS).
APK manifest related findings
Any API key present in the mobile package file (e.g. APK, IPA)
Apache Icon Leakage
Applications network security
Brute-force attacks
Clickjacking on pages with no sensitive actions
Insecure client storage of non-sensitive data
Coupon and / or discount features
Email settings, misconfigurations or bad practices (in SPF, DKIM, DMARC)
Enabled XML-RPC
Exported service without permissions (permissions granted and not used)
Exposed staging environments across organization
External Links using target='_blank'
Frame Sandbox Attribute Not Implemented
HTML comments
Hard-coded secrets
Invalid Header Value
Jailbreak bypass
Lacking redirect from HTTP to HTTPS
Missing HttpOnly or Secure flags on cookies
Missing best practices in Content Security Policy (CSP)
Missing best practices in SSL/TLS configuration
MiTM / Traffic inspection
Open redirect - unless an additional security impact can be demonstrated
Potential subdomain takeovers across organization
Rate-limiting related issues
Referrer-Policy / Missing Header
Self attacks
SOP Bypass / Wildcard CORS
Script Integrity Attribute Not Implemented
Strict-Transport-Security / Low max-age Directive
Strict-Transport-Security / Missing Header
TLS Certificate Will Expire
Unencrypted Sensitive Data Storage
User enumeration
WordPress related issues including:
WordPress non-zero days security findings
WordPress wp-links-opml
X-Content-Type-Options / Missing Header
X-Frame-Options / Missing Header (Cross-Origin Pixel Stealing)
If you make a good faith effort to comply with this Policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and K Health will not recommend or pursue legal action related to your research. If legal action is initiated by a third party against you in connection with activities conducted under this Program in compliance with this Policy and with all applicable laws and regulations, we will take steps to make it known that your actions were conducted in compliance with this Policy.
No Warranties: K HEALTH AND ITS AFFILIATES DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, AND MAKE NO GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS SOLELY AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER APPLICABLE LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM.
Limited Liability: IN NO EVENT SHALL K HEALTH, ITS DIRECTORS, OFFICERS, AFFILIATES OR AGENTS BE LIABLE FOR ANY COSTS OR DAMAGES WHATSOEVER, INCLUDING DIRECT, CONSEQUENTIAL, INDIRECT, SPECIAL OR PUNITIVE COSTS OR DAMAGES, ARISING OUT OF OR RELATING TO THE PROGRAM OR THE ACTIVITIES CONTEMPLATED HEREIN.
Changes to Program Terms: The Program, this Policy and any other terms and conditions applicable thereto constitute the entire agreement and understanding of the parties with respect to the items listed herein, and such Program terms may be modified, suspended, canceled or terminated by K Health at its sole discretion at any time, without notice. K Health may amend this Policy or any other terms or policies applicable to the Program at any time by posting a revised version on our Program page. By continuing to participate in the Program after K Health posts any such changes, you accept this Policy, as modified. If any term of the Program is found to be illegal or unenforceable, then the parties shall be relieved of their responsibilities arising under such term, but only to the extent that such term is illegal or unenforceable.
Tax: You are responsible for paying any taxes associated with rewards you may receive in connection with the Program. HackerOne handles all bounty payments through the HackerOne platform. Please refer to HackerOne’s relevant policies here.
Additional T&C. By participating in this program, you agree to comply with K Health’s terms of service https://khealth.com/tos. Your submission will be treated as User Content under the Terms of Service.
Thank you for supporting our efforts to increase security for K Health and our users!
[/khealth/thanks](See all hackers
)
1
/seudxs?type=userReputation: 160
2
/nnhhaa?type=userReputation: 151
3
/todayisnew?type=userReputation: 124
4
/d0xing?type=userReputation: 101
5
/fqdn?type=userReputation: 90
6
/cuso4?type=userReputation: 72
7
/shlkl?type=userReputation: 66
8
/0xdln?type=userReputation: 64
9
/criptex?type=userReputation: 57
10
/mikemyers?type=userReputation: 57
11
/bhavukjain1?type=userReputation: 57
12
/xssdoctor?type=userReputation: 57
KHealth
https://www.khealth.com Bug Bounty Program launched in Sep 2024
Response efficiency: 100%
[/khealth/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
LowAvg. bounty $10014.93% submissions
$100–$150
MediumAvg. bounty n/a55.22% submissions
$200–$400
HighAvg. bounty n/a25.37% submissions
$500–$2,500
CriticalAvg. bounty n/a4.48% submissions
$2,500–$6,000
Total bounties paid | >$50,000 | Average bounty | $200 | Top bounty range | $2,000 - $6,000 | Bounties paid | 90 days | $1 - $5,000 | Reports received | 90 days | 54 | Last report resolved | 2 months ago | Reports resolved | 68 | Hackers thanked | 70 | Assets In Scope | 24 |
© HackerOne