Menu
SetPoint Medical Bug Bounty Program
Menu

SetPoint Medical Bug Bounty Program

SetPoint Medical encourages proactive and good-faith discourse from the security community. To facilitate this, we are pleased to present our bug bounty program that offers recognition and monetary rewards for helping ensure that SetPoint Medical offers the most secure devices and systems to its customers. This program is designed to allow SetPoint Medical developers to discover and resolve security bugs before the they can be abused.

Out-of-Scope Reports

Some categories of security reports are out of scope for our bug bounty reward program. These sorts of attack vectors often have already been considered and evaluated. Reports related to the following areas are considered out-of-scope for the bug bounty reward system:

  • Already-reported issues
  • Attacks against products that are not commercially available (including clinical trial devices)
  • Attacks against websites used solely for product marketing (SetPoint Medical devices interact with services on the setpointmedical.cloud domain)
  • Attacks against SetPoint Medical engineering, testing, and development systems
  • Reports from automated scanning tools
  • Social engineering and phishing attacks against patients, employees, or healthcare providers (including creation of counterfeit applications to harvest credentials)
  • SetPoint Medical’s internal business systems (i.e., those that do not interact with SetPoint Medical devices or patient information)
  • Attacks that require physical disassembly of devices
  • Communication denial-of-service attacks including, but not limited to, signal jamming, blocking of HTTP requests, and Distributed Denial of Service (DDOS)
  • Compromises due to credential stuffing attacks, or attacks that are results of user credentials existing in breach corpuses

While we cannot promise a response or reward for an out-of-scope category, all reports will still be considered and evaluated.

Tier 3 Bug Bounties

Rewards 

  • $100
  • SetPoint Swag Package
  • Recognition as a SetPoint Medical Security Contributor

Bug Categories

  • Website attacks that can be demonstrated to intercept unencrypted or decrypted patient information
  • Near-field attacks that prevent the scheduled stimulation of SetPoint Medical devices

Tier 2 Bug Bounties

Rewards

  • $1,000
  • SetPoint Swag Package
  • Recognition as a SetPoint Medical Security Contributor

Bug Categories

  • Persisted modification of the SetPoint Medical Cloud Infrastructure (i.e., domains that end in setpointmedical.cloud) that redirect endpoint calls of official SetPoint Medical applications
  • Near-field (e.g., Bluetooth range) reprogramming of SetPoint Medical devices with unauthorized firmware
  • Attacks that result in unauthorized stimulation of devices without clinician credentials

Tier 1 Bug Bounties

Rewards

  • $10,000
  • SetPoint Swag Package
  • Recognition as a SetPoint Medical Security Contributor

Bug Categories

  • Remote (i.e., greater than Bluetooth range) reprogramming of SetPoint Medical devices with unauthorized firmware
  • Escalation to administrator permissions in the SetPoint Medical Cloud Infrastructure (i.e., domains that end in setpointmedical.cloud)

Discretionary Bug Bounties

If an issue is reported that does not fall into one of the above categories, but does result in action from SetPoint Medical, SetPoint Medical may still reward reporters with recognition, swag, or monetary compensation. These rewards are made solely at SetPoint Medical’s discretion.

Rules

SetPoint Medical reserves the right to alter its bug bounty program at any point. SetPoint Medical will make the sole decision as to whether a report is novel and meets the criteria of one of its bug bounty categories.