//
Detail Updates Leaderboard
Description

Website + Android Apps + iOS Apps Android Apps KWS Companion The application is only to be used by doctors and no logon information will be given. mynexuz CPV The application is only to be used by personnel of UZ Leuven responsible for transport of patients and no logon information will be given. mynexuzhealth app This application is intended to be used by patients in order to consult their private data, their doctors & appointments and more. Login: see below. iOS Apps KWS Companion The application is only to be used by doctors and no logon information will be given. Website mynexuzhealth website This website is intended to be used by patients in order to consult their private data, their doctors & appointments and more. Login: see below. In order to be able to logon to the mynexuzhealth website and app, an ethical hacker will need to request one or more logon credentials via the platform. You can request this information via support (support@intigriti.be). The information they will receive is - A user ID of 8 numbers - A PIN code of 4 numbers - A QRCode

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
0
100
400
2,000
4,000
Tier 2
Up to €4,000
Rules of engagement
Not applicable
Not applicable
max. 5 requests /sec
Not applicable

Domains
tier
type

134.58.179.82

Tier 2
Other
be.nexuzhealth.mobile.cpv
Tier 2
Android
be.nexuzhealth.mobile.kws
Tier 2
Android
be.nexuzhealth.mobile.mynexuz
Tier 2
Android
forms.nexuzhealth.be
Tier 2
URL

Registration for code cards used to authenticate on the mynexuzhealth application

idp-mobile.nexuzhealth.be
Tier 2
URL
kws-companion/id1342124012
Tier 2
iOS
mobile.nexuzhealth.be
Tier 2
URL
mynexuz.be
Tier 2
URL

🇬🇧🇫🇷🇳🇱

mynexuz.be/myUZ/
URL

🇬🇧🇫🇷🇳🇱

Severity assessment

It will be the responsibility of intigriti to pay ethical hackers in a timely and legal way. Payouts will only take place after agreement with UZ Leuven on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.

Duplicates policy: When two identical issues are reported, with different endpoints being the only difference between submissions, only the first submission will have the criticality below assigned.
If similar reports by the same user are reported within 14 days after accepting the previous (only differentiating in endpoint), the reports will be accepted but in a lower criticality and hence impact the bounty.

Rewards in this project are categorised according to impact, not according to attack vector.

Exceptional

  • Remote Code Execution
  • Access to all patient records
  • Access to specific patient record

Critical

  • Impersonation of other user (1 user per time)
  • Use other applications to view data of the patients
  • Reverse engineer app that grants you information to local data of patients

High

  • Service disruption (e.g. config change)

Medium

  • Compomise of one user, with user interaction required (Reflective XSS)
FAQ

Where can I get credentials for the application?

In order to be able to logon to the mynexuzhealth website and app, you will need to request one or more logon credentials via the platform. You can request this information via support (support@intigriti.be). You will receive a PDF with all the info you need (like EAD number, password, and login codes). Make sure you copy the correct values over (or type them yourself), as copying from the PDF can be a bit finicky sometimes.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.