Bug Bounty

Effective Date: February 10, 2026 | Last Updated: February 10, 2026

Effective Date: February 10, 2026 | Last Updated: February 10, 2026

Radpilot Inc. ("Radpilot," "we," "us," or "our") is committed to maintaining strong security and reliability for healthcare professionals and organizations using our platform. Protecting clinical environments, safeguarding data, and maintaining system integrity are central to our mission.


We welcome responsible security researchers and developers to help us identify and resolve potential vulnerabilities before they can impact users. This program outlines how to responsibly report vulnerabilities, what issues qualify, how submissions are evaluated, and how rewards are determined.


Our program focuses on meaningful, high-risk security vulnerabilities that could materially impact Radpilot systems or users.

Rewards

Radpilot provides monetary rewards for validated, previously unreported vulnerabilities.


We offer rewards ranging from $50 to $1,000 for validated vulnerabilities based on severity, impact, and quality of the report.

Submission Guidelines

To qualify for review and reward, submissions must meet all of the following:


• Vulnerability affects Radpilot applications, systems, or infrastructure
• Issue has not previously been reported or scheduled for remediation
• Report includes clear reproduction steps
• Submission includes sufficient detail to validate the issue


We prioritize vulnerabilities that could expose sensitive data, compromise accounts, or materially impact service integrity.

Out-of-Scope Issues

The following are not eligible for bounty rewards:


• Denial-of-service or traffic flooding attacks
• Spam, phishing, or social engineering attacks
• Physical attacks or on-site access requirements
• Vulnerabilities in third-party services not controlled by Radpilot
• Issues requiring access to another user’s physical device
• Basic configuration observations or routine IT hygiene issues
• Self-compromise scenarios or test accounts created solely for demonstration


If uncertain whether something is in scope, you may contact us before testing.

Submission Process

All vulnerability reports must be submitted through our secure submission form.


Submit your report here:
Bug Bounty Form


Please use this form for all submissions so our security team can properly review, triage, and process potential rewards.

Responsible Disclosure Requirements

By participating in this program, researchers agree to:


• Keep vulnerability details confidential until resolution
• Avoid accessing or retaining user data beyond verification
• Avoid disrupting service availability
• Avoid exploiting vulnerabilities beyond proof of concept
• Provide reasonable time for remediation before disclosure


Our goal is cooperative resolution that protects users and systems.

Evaluation Process

Radpilot’s security team reviews submissions and typically acknowledges reports within five business days.


Submissions are evaluated based on:


• Severity and potential impact
• Exploitability and attack path
• Clarity and completeness of report
• Novelty of the finding


Researchers may be contacted for clarification or additional testing details.

Payment and Recognition

Rewards are issued after validation and remediation planning. Payment methods may vary based on researcher location and available options.


Recognition may be offered for significant contributions if researchers choose to be publicly acknowledged.

Program Terms

Radpilot reserves the right to modify, suspend, or terminate this program at any time. Participation does not create contractual obligations beyond the reward determination process described here.

Thank You

We appreciate the security community’s efforts to help protect Radpilot users and healthcare organizations.


Responsible disclosure directly improves product safety and trust.


For questions about this program, contact: security@radpilot.com

We may update this Policy as our requirements change. We’ll revise the “Last Updated” date and, if the changes are material, notify you by email or in-app notice.

Legal

This policy does not grant rights to act against applicable laws or contracts. Your testing must respect all legal and regulatory requirements. By submitting a report you agree that Radpilot may use the information to remediate the vulnerability and to contact you about your report.

Unanswered Questions?

Please don’t hesitate to reach out to us at legal@radpilot.io with any questions you have about the information contained on this page. We do not maintain a physical mailing address. Reach us anytime via email for questions or to exercise your privacy rights.