Akeyless

  • $100 – $7,000 per vulnerability
  • Solo-Only

Program stats

  • Vulnerabilities rewarded 30
  • Validation within about 20 hours 75% of submissions are accepted or rejected within about 20 hours
  • Average payout $500 within the last 3 months

Latest hall of famers

Recently joined this program

Akeyless provides an innovative Secrets Orchestration Platform that successfully unifies several related use cases via a single solution. It offers secrets management, zero-trust access (PAM 2.0) and data protection (encryption, signing and KMS), based on Akeyless DFC™ , the firm’s unique virtual HSM FIPS-certified technology.

For this program, we're inviting researchers to test Akeyless's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job Akeylessers profiles and resumes).

Thank you for participating!

A Few Important Requirements for Akeyless:

  • Denial of Service, Rate Limiting, and other automated attacks are not allowed. Please do NOT use automated tooling when conducting testing on Akeyless assets.
  • All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @bugcrowdninja.com email ID, you run the risk of getting blocked from accessing Akeyless applications.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

To maximize your reward and payout time frame, please make sure to include the following in your report:

  • An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
  • Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
  • Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.

Target Info:
Domains outside of *.Akeyless.io typically have less impact for Akeyless, and thus may impact the reward amount.
A list of Akeyless’ micro-services and high level explanation can be found here

Access:
Please sign up for accounts on https://console.akeyless.io/registration using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Focus Areas:
We are most interested in critical vulnerabilities that allow access to customer PII data.
Exclusions:
Cookie flags ie. Secure, HTTPOnly.
Volume related issues ie. Brute-force, rate-limiting, denial of service.
Social engineering of any kind against Akeyless employees or its users
Email configuration ie. SPF, DKIM, DMARC.
Error pages ie. verbose error messages, stack traces, invalid status codes.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.