We appreciate your efforts and hard work helping to make the users of our products more secure, and we look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting
Ratings & Rewards:
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood, impact, or underlying risk to Aruba Networks. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
At the current time Aruba has chosen to not participate in the Bugcrowd's coordinated disclosure program. However, we do support disclosure from our programs based upon the following guideline:
Aruba handles and discloses vulnerabilities in accordance with ISO/IEC 30111.
Public disclosure of vulnerabilities will generally take place only after permanent fixes are available. Where the vulnerability occurs in multiple branches of software, or in multiple software products, Aruba will publish advisories once the last branch or product is updated and released. However, if Aruba learns that information about an unpublished vulnerability is being communicated externally, a vulnerability advisory will be published immediately along with details of any possible workaround or defense. In the case of vulnerabilities in open-source software that are being publicly discussed, Aruba will immediately issue a security advisory once it has been determined that the vulnerability affects an Aruba product.
The initial vulnerability advisory will consist of general information about the vulnerability, workarounds, and steps to resolve the vulnerability. The public advisory is the only information that Aruba will provide to anyone for the first 60 days. After 60 days Aruba may, at its sole discretion, make public full details about the vulnerability. Security researchers who wish to publicize Aruba vulnerability details (e.g. in a blog or at a conference) are asked to wait for the same 60-day period after an advisory has been published. As a courtesy, we request you inform Aruba that such presentation will be given.
Disclosure is not selective under any circumstances. It is Aruba’s policy to notify all customers of vulnerabilities at the same time. No Aruba customer, partner, or third-party is given advance notification or additional details of a vulnerability. Aruba’s OEM partners are generally notified three days in advance of public disclosure to allow their respective security response teams to prepare for notification of their own customers. Aruba’s OEM partners have agreed contractually to coordinate vulnerability notifications with Aruba so that all end users are alerted at the same time. Aruba’s customer-facing employees (TAC, SE, etc.) are provided a copy of the advisory approximately 18 hours before public disclosure, but are prohibited from sharing that information until it is officially released. OEM partners and customer-facing employees are only given a copy of the public advisory; they are not provided with full details of a vulnerability.
At Aruba Networks' discretion, we are willing to pay up to $5,000 for unauthenticated vulnerabilities in ArubaOS or Aruba Instant that we consider to be highly critical in nature. For those of you with access to APs we are especially interested in vulnerabilities where an unprivileged user connected to our (properly configured) network infrastructure can exploit the system.
- Wi-Fi authentication bypass
- Wi-Fi leaking encryption keys
- Bypassing or subverting firewall rules
- Impersonation of other users on a WPA2-protected Wi-Fi network
- Captive portal bypass
- Compromise of a network administrator using Wi-Fi frames.
- Injection of malicious traffic in a WPA2 802.1X transaction that successfully compromises ClearPass through the RADIUS protocol
Notice that attempting to exploit many of these flaws will require you to be in possession of Aruba APs at a minimum. We unfortunately do not have a hardware budget at this time but we will be happy to provide software for any hardware in your possession if you reach out to us.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.