Bug Bounty Policy

Overview

Quilt Health is committed to ensuring the security and privacy of our users' data. We welcome security researchers to help us identify and address potential vulnerabilities in our systems through our responsible disclosure program.

Scope

In Scope

  • All Quilt Health owned domains and subdomains

  • Web applications and APIs

  • Mobile applications (iOS and Android)

  • Infrastructure and network security issues

Out of Scope

  • Third-party services and integrations not owned by Quilt Health

  • Social engineering attacks against Quilt Health employees

  • Physical security testing

  • Denial of Service (DoS) attacks

  • Spam or social engineering content

  • Reports from automated tools without additional analysis

  • Issues requiring physical access to Quilt Health facilities

Vulnerability Categories

We are particularly interested in reports of the following types of vulnerabilities:

High Priority:

  • Remote code execution (RCE)

  • SQL injection

  • Authentication bypasses

  • Authorization flaws leading to privilege escalation

  • Cross-site scripting (XSS) with demonstrated impact

  • Server-side request forgery (SSRF)

  • Insecure direct object references (IDOR)

  • Payment processing vulnerabilities

Medium Priority:

  • Cross-site request forgery (CSRF)

  • Information disclosure

  • Business logic flaws

  • Cryptographic issues

  • Session management vulnerabilities

Lower Priority:

  • Missing security headers (without demonstrated impact)

  • SSL/TLS configuration issues

  • Directory listings

  • Verbose error messages

Rules of Engagement

To participate in our bug bounty program, you must:

Do:

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services

  • Only interact with accounts you own or with explicit permission from the account holder

  • Contact us at security@quilthealth.com before making any security issue public

  • Provide detailed reports with clear steps to reproduce the vulnerability

  • Be patient during our investigation and remediation process

Don't:

  • Access or modify data that doesn't belong to you

  • Perform attacks that could harm the reliability or integrity of our services

  • Use social engineering techniques against our employees or contractors

  • Violate any laws or breach any agreements in your research

  • Test on production systems in ways that could impact users

  • Publicly disclose vulnerabilities before we've had a chance to investigate and address them

Reporting Process

How to Report

Send detailed vulnerability reports to: security@quilthealth.com

Report Requirements

Your report should include:

  • Clear description of the vulnerability

  • Step-by-step reproduction instructions

  • Screenshots or proof-of-concept code (when applicable)

  • Potential impact assessment

  • Suggested remediation steps (optional but appreciated)

  • Your contact information for follow-up questions

Response Timeline

  • Initial Response: Within 2 business days

  • Triage and Validation: Within 5 business days

  • Resolution Timeline: Varies based on severity and complexity

  • Disclosure: We will work with you on appropriate disclosure timing

Recognition and Rewards

While we don't currently offer monetary rewards, we provide:

Recognition

  • Public acknowledgment on our security page (with your permission)

  • Certificate of appreciation for qualifying reports

  • Direct communication with our security team

Reward Eligibility

To be eligible for recognition:

  • Report must be submitted to security@quilthealth.com first

  • Vulnerability must be in scope and previously unknown to us

  • Report must include sufficient detail for reproduction

  • You must follow our responsible disclosure guidelines

Legal Safe Harbor

We will not pursue legal action against researchers who:

  • Make a good faith effort to comply with this policy

  • Report vulnerabilities through the proper channels

  • Avoid violating the privacy of others, disrupting systems, or destroying data

  • Don't engage in extortion or similar misconduct

Privacy and Confidentiality

  • We respect the privacy of vulnerability reporters

  • We will not share your personal information without permission

  • Communication regarding your report will be kept confidential

  • We may anonymize technical details when documenting internally

Updates to This Policy

This policy may be updated from time to time. Check back regularly for the most current version. Material changes will be posted on our website and communicated to active researchers.

Contact Information

Security Team: security@quilthealth.com

General Questions: For non-security related questions about this policy, contact us through our standard support channels.Bug Bounty Submission Template

Bug Bounty Submission Template

Reporter Information

Name: [Your Name]
Email: [Your Email]
Handle/Username: [Your Handle]

Vulnerability Overview

Title: [Brief, descriptive title of the vulnerability]
Severity: [Critical/High/Medium/Low]
CVSS Score: [If calculated]
Date Discovered: [MM/DD/YYYY]

Technical Details

Description

[Provide a clear, concise description of the vulnerability. Explain what the issue is and why it's a security concern.]

Affected Components

  • URL(s): [List affected endpoints, pages, or features]

  • Application version: [If applicable]

  • Operating system/platform: [If relevant]

  • Browser/client: [If web vulnerability]

Steps to Reproduce

  1. [Step 1]

  2. [Step 2]

  3. [Step 3] [Continue as needed with clear, numbered steps that allow the security team to recreate the issue]

Proof of Concept

[Include any code samples, scripts, or commands used to exploit the vulnerability. If a multi-step process, be explicit about each step.]

[Sample code or payload if applicable]

Impact

[Explain the potential consequences if this vulnerability were to be exploited. Be specific about what an attacker could potentially access or actions they could take.]

Supporting Materials

  • [Screenshots (annotated if helpful)]

  • [HTTP request/response logs]

  • [Video demonstration (link if file too large)]

  • [Other relevant files or evidence]

Suggested Mitigation

[If you have recommendations for how to fix the issue, include them here. This is optional but appreciated.]

Additional Notes

[Any other information that might be helpful, including related vulnerabilities, unusual circumstances, or alternative attack vectors.]

Disclosure Timeline

  • Date discovered: [MM/DD/YYYY]

  • Date reported: [MM/DD/YYYY]

  • Additional communications: [List dates of any follow-ups]

I have read and complied with the bug bounty program policies and have conducted all testing in accordance with responsible disclosure practices.