HPE Aruba Networking invites you to test and help secure our Aruba Central, Aruba Instant, Aruba InstantOn, Aruba ClearPass Policy Manager, ArubaOS-CX, Aruba AirWave, and Aruba User Experience Insight Sensors. We appreciate your efforts and hard work in helping to make the users of our products more secure, and we look forward to working with the researcher community to create a meaningful and successful bug bounty program. HPE employees are ineligible for bounties. Good luck and happy hunting

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood, impact, or underlying risk to HPE Aruba Networking Networks. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.

---

Disclosure

At the current time, HPE Aruba Networking has chosen to not participate in the Bugcrowd's coordinated disclosure program. However, we do support disclosure from our programs based upon the following guideline:

HPE Aruba Networking handles and discloses vulnerabilities in accordance with ISO/IEC 30111.

Public disclosure of vulnerabilities will generally take place only after permanent fixes are available. Where the vulnerability occurs in multiple branches of software, or in multiple software products, HPE Aruba Networking will publish advisories once the last branch or product is updated and released. However, if HPE Aruba Networking learns that information about an unpublished vulnerability is being communicated externally, a vulnerability advisory will be published immediately along with details of any possible workaround or defense. In the case of vulnerabilities in open-source software that are being publicly discussed, HPE Aruba Networking will immediately issue a security advisory once it has been determined that the vulnerability affects an HPE Aruba Networking product.

The initial vulnerability advisory will consist of general information about the vulnerability, workarounds, and steps to resolve the vulnerability. The public advisory is the only information that HPE Aruba Networking will provide to anyone for the first 60 days. After 60 days HPE Aruba Networking may, at its sole discretion, make public full details about the vulnerability. Security researchers who wish to publicize HPE Aruba Networking vulnerability details (e.g. in a blog or at a conference) are asked to wait for the same 60-day period after an advisory has been published. As a courtesy, we request you inform HPE Aruba Networking that such presentation will be given.

Disclosure is not selective under any circumstances. It is HPE Aruba Networking’s policy to notify all customers of vulnerabilities at the same time. No HPE Aruba Networking customer, partner, or third-party is given advance notification or additional details of a vulnerability. HPE Aruba Networking’s OEM partners are generally notified three days in advance of public disclosure to allow their respective security response teams to prepare for notification of their own customers. HPE Aruba Networking’s OEM partners have agreed contractually to coordinate vulnerability notifications with HPE Aruba Networking so that all end users are alerted at the same time. HPE Aruba Networking’s customer-facing employees (TAC, SE, etc.) are provided a copy of the advisory approximately 18 hours before public disclosure, but are prohibited from sharing that information until it is officially released. OEM partners and customer-facing employees are only given a copy of the public advisory; they are not provided with full details of a vulnerability.

---

Bonus Rewards

At HPE Aruba Networking's discretion, we are willing to pay up to $5,000 for unauthenticated vulnerabilities in ArubaOS or Aruba Instant that we consider to be highly critical in nature. For those of you with access to APs we are especially interested in vulnerabilities where an unprivileged user connected to our (properly configured) network infrastructure can exploit the system.

Examples:

• Wi-Fi authentication bypass
• Wi-Fi leaking encryption keys
• Bypassing or subverting firewall rules
• Impersonation of other users on a WPA2-protected Wi-Fi network
• Captive portal bypass
• Compromise of a network administrator using Wi-Fi frames.
• Injection of malicious traffic in a WPA2 802.1X transaction that successfully compromises ClearPass through the RADIUS protocol

Notice that attempting to exploit many of these flaws will require you to be in possession of HPE Aruba Networking APs at a minimum. We unfortunately do not have a hardware budget at this time but we will be happy to provide software for any hardware in your possession if you reach out to us.