LifeOmic's Bug Bounty Program

Responsive image

How to get started

As you know by our scope listing, we have a couple different products we want you to hack. Each product is a bit different and has self service account creation process that we have outlined below. Also, we are always adding more targets so check back often for new info.

Our primary in-scope products are as follows:

The following are OUT of scope:

  • LifeOmic WordPress websites (,, etc)
  • Production instances of non-mobile apps (

Precision Health Cloud (PHC) - The Rundown

This is our main health platform that houses patient data. Our dev instance, is where you should be hacking. It’s got all of our latest features deployed and changes multiple times throughout the day. Please avoid our production app at because we all know that it would be very bad to impact production. If your exploit is valid on dev, we will pay.

Tech Stack: Primarily Node.js running on AWS Lambda (serverless). Front-end is React.

Primary Documentation: LifeOmic Docs

Here’s our release-notes for fresh features: Release-Notes

Account Creation -

  1. Head to PHC Dev Login page and click the “Sign Up” button. Make sure to use your [username] for the signup process. If you need to create multiple accounts you can use [username]+[any_identifier]

  2. Proceed through the user creation process.

  3. Once you have a username and can login, head to this URL Health SubAccount Creation and create a sub account. There will be a fake credit card that will autofill for you to use.

  4. Hack away

Want to add some fake patient data to test with? Try this:

  1. Download this ZIP file and unzip it in a location of your choice.

  2. Run the script, which will install our opensource CLI tool (also in scope). Enter your PHC subaccount name when prompted. The script will then authenticate you in the browser and create a project with demo data.

    You can use the CLI to import any data you wish for testing.

Mobile Apps - LIFE Fasting Tracker and LIFE Extend (iOS, Android)

These are the mobile apps we built for people interested in intermittent fasting and overall personal health. There is a social aspect and sharing capability to the apps that we would love for you to try to hack. You will find that the apps utilize the PHC back end for some of their functionality.

Grab the app from the iOS app store or the Google Play store and hack away. Use your email address when testing here as well.

Tech Stack: React Native, Graphql, AWS

Account Creation - Mobile Apps

When you sign up for an account on one of our mobile apps, your user is created as a member of the lifeomiclife PHC subaccount. This allows all mobile app users to interact with the same permissions. Please keep in mind that this is our live production app so avoid interacting with other users when hacking.

Privacy - Mobile Apps

You’ll find that our mobile apps err towards a user’s data being public in order to promote social interaction within the apps. Our apps have the concept of public and private “circles”.

Currently, the following data is always public by default: first and last name, profile picture, profile description, cumulative LIFE points and surrounding metrics

The following data is private if the user is not in a public circle or the querying user is not in a private circle with them: fasting data

The following data is always private by default: health history data

Corporate Wellness - The Rundown

This is our Corporate Wellness offering that is not yet available at the production level. Corporate Wellness integrates with our LIFE Extend mobile app and the PHC platform to track metrics around employee wellness data.

Tech Stack: Primarily Node.js running on AWS Lambda (serverless). Front-end is React.

Account Creation -

  1. Head to Wellness Dev Login page and create a new account

  2. Proceed through the user creation process and create a “team” that will act as your corporate wellness account.

  3. Hack away

Opensource - The Rundown

All of our opensource projects are in scope and can be found on Github.

Authentication Information

Most of our services authenticate through the use of temporary Bearer tokens that last one hour. These tokens are issued through either Single Sign On or native authentication. It is possible to hold multiple authenticated sessions at once. Although authentication issues are in scope, we will not award reports that are based on the previously stated expected behaviors that do not prove further security impacts.

Got Questions?

Join our Slack workspace to communicate with us and other hackers: Slack Invite Link