skip to content

Learn about Color's copilot tool in collaboration with OpenAI here.

Reporting a Security Vulnerability

Color takes security vulnerabilities and concerns seriously. We encourage security researchers to report possible vulnerabilities in our web apps to us so that we can address these issues quickly. Color will acknowledge receipt of your report typically within 2 business days.

If you would like to report a potential vulnerability, please review our Vulnerability Disclosure Program details and submit relevant findings in the form below. You will shortly be invited to join our Vulnerability Disclosure Program.

If you have questions about the finding, please follow up with our VDP provider.

Security Vulnerability Disclosure Program illustration

Vulnerability Disclosure
Program Details:

As an industry leader in distributed healthcare and clinical testing, Color provides the technology and infrastructure to power large-scale health initiatives. Color’s technology, infrastructure and services are the backbone of large-scale population health programs for over 200 institutions worldwide. We are excited to work with researchers to find potential critical vulnerabilities and gain new insight into our security posture.

We are eager for you to participate as a security researcher to help us identify potential vulnerabilities in our web apps. Please submit your current potential findings in the form below and you will shortly be invited to join our Vulnerability Disclosure Program.

However, refer to our Vulnerability Disclosure Program before conducting any further research. The program defines legally helpful research protected by Safe Harbor v. unauthorized research. The Program explains focus areas, in scope, and out of scope targets. The program also provides research accounts, vulnerability ratings, and rewards.

Focus Areas:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Sensitive data exposure
  • Additional potential findings from the OWASP top 10 will also be investigated
  • Potentially clever vulnerabilities or unique issues that do not fall into explicit categories
Security Out of Scope icon


  • Any activities that could lead to the disruption of our service (DoS/DDoS). Those activities include, but are not limited to unmonitored automated scanning
  • Staging environments (Only test subdomains of Examples of staging environments are listed within our private bug bounty program.)
  • Do NOT contact Color support or help desk for bug bounty related concerns – please contact Bugcrowd support (
  • Do NOT exfiltrate any live client data – ONLY test against accounts you expressly own
  • Do NOT perform any testing that might degrade the user experience on the app – if you have questions, please ask and err on the side of caution
  • Do NOT perform any automated testing against forms or functionalities that go out to support teams or any other group that will have to process your payload
  • Some missing email best practices such as missing DMARC on nonsubdomain DNS records.
  • Intentional or accidentally duplicated potential findings will not be accepted as a vulnerability
  • We evaluate every potential finding. However, targets that are not explicitly in scope according to the form below may not be eligible for acceptance
  • Any submissions for rate limiting will not be accepted