BriteMED is committed to maintaining cybersecurity and works closely with partners and the community to ensure product security and safeguard the integrity of user data and systems. The BriteMED Security Bounty Program aims to recognize researchers' contributions to the security and privacy protection of our users. If you submit a research report related to security or privacy vulnerabilities, your report may be eligible for a reward.

Program Scope

Our security bounty program only accepts security vulnerabilities in BriteMED products and services. Out-of-scope vulnerabilities will not be eligible for a reward, with exceptions made for out-of-scope reports of critical vulnerabilities depending on the situation.

System Software

BriteMED-developed system software: system software designed and developed by BriteMED and integrated into BriteMED products.

System Software

BriteMED Official Website

BriteMED official website, excluding third-party and open-source software.

BriteMED Official Website

How to Report Security Issues and Vulnerabilities

Use the below PGP encryption public key to encrypt your email and send it to security@britemed.com.tw, BriteMED PSIRT will contact you as soon as possible.

Suggested Format for Vulnerability Report

System Software
BriteMED Official Website

PGP Encryption Key

Submit a report

Reward Qualifications

icon

You must be the first researcher to report the vulnerabilities.

icon

You must not have publicly shared any files and/or details related to the vulnerability. This includes uploads to any publicly-accessible websites.

icon

The reported vulnerability is confirmed to be verifiable, replicable, and a valid security issue by the BriteMED PSIRT team.

icon

You agree to all the terms and conditions of the Security Bounty Program.

The reward amount is subject to adjustment,depending on:

  • Follow the suggested vulnerability reporting format: Please provide the necessary and sufficient information for the vulnerability report. Suggested formats include: System software format example and BriteMED official website format example.
  • Steps to Reproduce: Illustrate your steps to reproduce the vulnerabilities.
  • Problem Descriptions: Clearly and concisely present your troubleshooting and approach.
  • Other Supporting Information: Include testing code, scripts, and anything else required for your explanation.
  • Raw Data of Attacks (exploit payload): A report in text form is required for ensuring data integrity. Vulnerability assessments can fall short of BriteMED PSIRT's expectations when network payloads were provided in images only.
  • 1

    How is the bounty reward determined?

    The reward is determined by the Reward Committee, composed of BriteMED PSIRT members, based on the complexity of exploiting the vulnerability and the severity of the security vulnerability, including the percentage of affected users and systems.

  • 2

    Can I submit a video as proof-of-concept?

    If videos make it easier for us to understand how vulnerabilities are exploited, the BriteMED Award Committee may increase the reward as a result. Please note that written documentation must still be provided (e.g., product information, vulnerability summary, and steps to reproduce) as it helps in managing the vulnerability disclosure process.

  • 3

    What information must be included in a vulnerability report?

    A vulnerability report must include at least the following information: the product name, version, and build number where the vulnerability exists, or the URL location for cloud services. It should also include a summary of the potential threats posed by the vulnerability, along with clear and detailed replication steps. Additionally, the report may be accompanied by a video demonstrating the vulnerability.

  • 4

    How do I know if my submission has been received by BriteMED?

    Please use the PGP Key provided by BriteMED to encrypt the report and send it to security@britemed.com.tw. The system will automatically respond with a technical support number, which you can use to inquire about the review progress. The BriteMED PSIRT team will proactively contact the researcher to verify the completeness of the submitted information. If all the required information has been provided, the researcher will receive an BriteMED PSIRT vulnerability confirmation letter within two weeks. The award proposal will be communicated via email five weeks after the date of the vulnerability confirmation letter. If the researcher agrees, BriteMED will make the payment 12 weeks after receiving the confirmation response.