We've raised a total of $10.5M to bring automation to healthcare.
Read more
Keragon Vulnerability Disclosure Program

Introduction

Keragon is committed to the security of our platform and the protection of our customers' data, including Protected Health Information (PHI). We welcome and encourage security researchers to help us identify vulnerabilities in our systems. This policy describes how to report vulnerabilities to us, what we expect from you, and what you can expect from us.

We value the contributions of the security research community and recognize the importance of a coordinated approach to vulnerability disclosure. If you have discovered a security vulnerability, we encourage you to let us know immediately. We welcome the opportunity to work with you to resolve the issue promptly.

Adhering to industry standards is important to us, and our program is covered by Coordinated Vulnerability Disclosure, Safe Harbor, Open Scope and Core Ineligible Findings, and Detailed Platform Standards

Scope

The following assets are in scope:

  • keragon.com and all subdomains
  • Keragon's public-facing web application
  • Keragon's public API endpoints
  • Keragon's authentication and authorization systems

The following are out of scope:

  • Third-party services integrated with Keragon (e.g., payment processors, email providers)
  • Social engineering attacks (phishing, vishing, physical)
  • Denial-of-service (DoS/DDoS) attacks
  • Automated scanning that generates excessive traffic
  • Any testing against customer data or production PHI environments
  • Findings from automated tools without demonstrated impact

Our Commitments

  • Acknowledgment: We will acknowledge receipt of your report as per the response target below
  • Assessment: We will provide an initial severity assessment as per the response target below
  • Remediation: We will work to remediate confirmed vulnerabilities as per the response targets below
  • Communication: We will keep you informed of our progress throughout the remediation process
  • Safe harbor: We will not pursue legal action against researchers who comply with this policy

Researcher Guidelines

  • Do not access, modify, or delete data that does not belong to you - create test accounts for validation
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate impact
  • Do not disclose vulnerabilities publicly until we have confirmed remediation (coordinated disclosure, 90-day maximum)
  • Do not perform testing that could degrade or disrupt Keragon services
  • Comply with all applicable laws

Legal Safe Harbor

Keragon considers security research conducted under this policy to be authorized conduct. We will not initiate legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy. This safe harbor applies to applicable federal and state laws including the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA).

HIPAA-Specific Provisions

Given that Keragon handles PHI, researchers must observe extra care: never attempt to access, download, copy, or exfiltrate real patient data or PHI. If you inadvertently encounter PHI during testing, stop immediately, do not save or share the data, and report the exposure as part of your vulnerability submission so we can remediate. Keragon will treat any inadvertent PHI exposure discovered through this program as a potential HIPAA incident and follow our Breach Notification procedures.

Bug Bounty Program

Keragon's bug bounty program uses a tiered model combining monetary rewards with recognition-based incentives.

Keragon's Bug Bounty Program

Note: Reward amounts are at Keragon's discretion based on impact, quality of report, and whether a working PoC is provided. PHI-related vulnerabilities automatically receive a severity bonus multiplier of 1.5×.

Non-Monetary Incentives

Hall of Fame - A public page listing researchers who have submitted valid reports, ranked by contribution. Includes researcher name/handle, number of valid reports, highest severity found, and date of first contribution.

Swag & Recognition - Branded Keragon swag for first valid submission, personalized thank-you letter from CTO for critical findings, LinkedIn endorsement/recommendation for top contributors.

Early Access - Top researchers get early access to test new features before release.

Exclusions from Bounty

The following do not qualify for monetary rewards: previously known or duplicate issues, issues already identified by internal scans, vulnerabilities in out-of-scope assets, reports without clear reproduction steps, theoretical vulnerabilities without demonstrated impact.