• $100 – $3,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

206 vulnerabilities rewarded

Validation within about 18 hours
75% of submissions are accepted or rejected within about 18 hours

$477.27 average payout (last 3 months)

Latest hall of famers

Recently joined this program

1107 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.


- Configure your scanners:


For this program, we are inviting researchers to test our community and customer facing web resources, as well as our Privilege Service. For high level product information, see: https://www.centrify.com/privileged-access-management/

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.


In scope

Target name Type Tags
account.io.centrify.com Website Testing
  • Website Testing
pod23.centrify.com Website Testing
  • Website Testing
account-api.io.centrify.com API Testing
  • API Testing
pod12.centrify.com Website Testing
  • Website Testing
www.centrify.com Website Testing
  • Website Testing
  • Bootstrap
  • Drupal
  • jQuery
  • Lodash
  • MariaDB
  • nginx
  • Varnish
  • PHP
  • Cloudflare CDN
  • Newrelic
Centrify Privilege Service Portal Website Testing
  • Website Testing
Centrify Service API API Testing
  • API Testing
  • HTTP
Centrify Agent for Windows Other
Centrify Cloud Connector Other
Local Client Launcher Other

Out of scope

Target name Type
Centrify iOS App iOS
Centrify Android App Android
Centrify Browser Extension Other

Please note: Any domain/property of Centrify Corporation not listed in the targets section is out of scope. This includes any/all domains, subdomains or names not listed in the targets below.

Privilege Service

The Centrify Privilege Service is a multi-tenanted cloud service. In order to test, you will need to register for your own tenant. Please use the instructions below to register as a bugcrowd tester. Registration will then give you access to a Bugcrowd cloud instance hosted at pod12.centrify.com.

For this target, the only in-scope hosts are:

  • pod12.centrify.com (and any *.my.centrify.com which cnames to the same)
  • pod23.centrify.com (and any *.gateway.centrify.com which cnames to the same)

Registering For A Tenant

Focus Areas

Web Application and REST API

  • Intra-tenant data visibility - i.e. ability to see restricted information within the current tenant without appropriate based access being granted first in any portion of the product, either through data exposition, or escalation of privilege.

  • Cross-tenant data visibility - All data stored on behalf of a given tenant should be visible only within that tenant. Please use an additional tenant of your own to test these boundaries.

  • The /resources, /my and /manage web applications and the underlying REST API surface used by them. Note that API is documented: http://developer.centrify.com

Agents and Installable Clients

There are a number of clients and agents which are in scope and can be downloaded from within the product, these are:

  • Centrify Agent for Linux - Enables application to application password management

  • Centrify Agent for Windows - Enables Cloud integrated Multi-Factor Authentication for Windows sign in

  • Centrify Cloud Connector - Enables connectivity to Active Directory, Application Gateway (reverse web proxy), remote SSH/RDP access, etc

  • Local Client Launcher - Enables launching SSH/RDP sessions from browser through native applications like Putty

Corporate Web Presence

The corporate web presence of Centrify is the second target of this program. In scope for this program is:

  • www.centrify.com

No other *.centrify.com or related hosts, subdomains or sites are in scope.

Registering for an account

  • Visit https://www.centrify.com/signup/
  • Use an @bugcrowdninja.com email address here
  • Use "bugcrowd" for First Name, Last Name and Company Name fields
  • You will get an email back from this form and must click the validation link.
  • This account will only give you basic permissions. You should not be able to access protected functions/content of the Customer Support Portal and the Partner Portal.

Posting Forms

  • Use an @bugcrowdninja.com email address
  • Use "bugcrowd" for First Name, Last Name and Company Name fields
  • Don't expect the forms to actually email you. We are preventing *@bugcrowdninja.com from entering the normal lead flow.

Also, when using automated tools that post to forms:

  • Please identify yourself in your testing and be ready to shut down the tool if notified.
  • Please be aware of what email address will be attempted. If the tool will attempt to use valid looking email addresses please consult the SPAM blacklist

Current SPAM blacklist on email address field:

  • acunetix_wvs_security_test
  • @bugcrowdninja.com
  • @email.tst
  • @example.com
  • @tinfoil-fake-site.com
  • @xample.com

This SPAM list has proven effective so far against Acunetix and NetSparker and others. But, we will happily add a few specific email addresses or domains to accommodate your tool if you give us advance warning.

In short, be sure that if you test forms with automation, that you follow the above.

Focus Areas

  • Site vulnerabilities exploitable in current browsers
  • User authentication
  • Privilege escalation at centrify.force.com/support, centrify.force.com/partners - use of this domain for testing for escalation only please
  • Privilege escalation at partners.centrify.com - use of this domain for testing for escalation only please

Out of Scope and Exclusions

Generally Out of Scope

  • Mobile apps and browser extensions associated with Centrify services are currently out of scope for this bounty.

  • Please note that the Privilege service targets are heavily dependent on a SQL language abstraction for access to and visibility of data. This is an abstraction only, which does not allow for any write or update. The schema for this abstracted database is available intentionally and is visible in the product for reporting and interaction by end users. Row level access control is used to ensure visibility at read time. We consider SQLi reports which expose the schema or read-only interaction with our interface as out of scope. That said, if you discover injections which allows for changing/updating data we’d love to know!

  • Any hosts or other external services not explicitly listed in the targets above (i.e. target applications outside the centrify cloud service itself, email hosts/clients). When testing remote access features like SSH/RDP, please target connections at only those resources you own/control.

  • In some circumstances, customer/tenant configuration can be changed to provide a lower security threshold (i.e. no account lockout, no second factor, etc) - we consider deliberate configuration change followed by attack on that change out of scope.

  • Disclosure of information that is public or does not present significant risk

  • Vulnerabilities that we determine to be an acceptable risk

  • Flaws affecting the users of out-of-date browsers and plugins. Typically will not reward any problems that affect only the users of outdated or un-patched browsers. In particular, we exclude Internet Explorer prior to version 9, Flash, signed Java Applets, etc.

  • Defacing of any site or resource. Report if you think you can do it and how, but don't actually do it

General Exclusions

The following finding types are specifically excluded from the bounty:

  • Exposition of Customer ID/Tenant ID - these are not 'secret'
  • Username / email enumeration via Login experience
  • D/DOS at the network level - though application/functional DOS through crafted arguments should be reported but not continually exploited.


Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.