Please note: Any domain/property of Centrify Corporation not listed in the targets section is out of scope. This includes any/all domains, subdomains or names not listed in the targets below.

Identity Service and Privilege Service

The Centrify Identity Service and Centrify Privilege Service are built on a common Cloud Identity Platform. This platform is a multi-tenanted cloud service. In order to test, you will need to register for your own tenant. Please use the instructions below to register as a bugcrowd tester. Registration will then give you access to a Bugcrowd cloud instance hosted at pod12.centrify.com.

For this target, the only in-scope hosts are:

• pod12.centrify.com (and any *.my.centrify.com which cnames to the same)
• pod23.centrify.com (and any *.gateway.centrify.com which cnames to the same)

Registering For A Tenant

• Visit: https://www.centrify.com/free-trial/identity-service-for-bugcrowd-researchers and fill out the form

• Please use "bugcrowd" for first and last name

• Please use your @bugcrowdninja.com email address (for more info regarding @bugcrowdninja email addresses, see here: https://researcherdocs.bugcrowd.com/v2.0/docs/your-bugcrowdninja-email-address)

• A mail will be sent to your address to verify you have access to it. Using the link in the email will activate your tenant, and another email will be sent with access information for your tenant, including initial administrative credentials.

• You can register for additional tenants by repeating these steps. Please restrict the number of tenants created to at most 2 per researcher.

Focus Areas

Web Application and REST API

• Intra-tenant data visibility - i.e. ability to see restricted information within the current tenant without appropriate based access being granted first in any portion of the product, either through data exposition, or escalation of privilege.

• Cross-tenant data visibility - All data stored on behalf of a given tenant should be visible only within that tenant. Please use an additional tenant of your own to test these boundaries.

• The /resources, /my and /manage web applications and the underlying REST API surface used by them. Note that API is documented: http://developer.centrify.com

Agents and Installable Clients

There are a number of clients and agents which are in scope and can be downloaded from within the product, these are:

• Mobile applications from Google Play and iTunes App stores - we encourage that these be downloaded and used to test the Mobile SSO, Privilege and MDM features our services provide.

• Centrify Agent for Linux - Enables application to application password management

• Centrify Browser Extension - Enables web application SSO for legacy and non-standards compliant web applications

• Centrify Agent for Windows - Enables Cloud integrated Multi-Factor Authentication for Windows sign in

• Centrify Cloud Connector - Enables connectivity to Active Directory, Application Gateway (reverse web proxy), remote SSH/RDP access, etc

• Local Client Launcher - Enables launching SSH/RDP sessions from browser through native applications like Putty

Corporate Web Presence

The corporate web presence of Centrify is the second target of this program. In scope for this program is:

• www.centrify.com

No other *.centrify.com or related hosts, subdomains or sites are in scope.

Registering for an account

• Visit https://www.centrify.com/signup/
• Use an @bugcrowdninja.com email address here
• Use "bugcrowd" for First Name, Last Name and Company Name fields
• You will get an email back from this form and must click the validation link.
• This account will only give you basic permissions. You should not be able to access protected functions/content of the Customer Support Portal and the Partner Portal.

Posting Forms

• Use an @bugcrowdninja.com email address
• Use "bugcrowd" for First Name, Last Name and Company Name fields
• Don't expect the forms to actually email you. We are preventing *@bugcrowdninja.com from entering the normal lead flow.

Also, when using automated tools that post to forms:

• Please identify yourself in your testing and be ready to shut down the tool if notified.
• Please be aware of what email address will be attempted. If the tool will attempt to use valid looking email addresses please consult the SPAM blacklist

Current SPAM blacklist on email address field:

• acunetix_wvs_security_test
• @bugcrowdninja.com
• @email.tst
• @example.com
• @tinfoil-fake-site.com
• @xample.com

This SPAM list has proven effective so far against Acunetix and NetSparker and others. But, we will happily add a few specific email addresses or domains to accommodate your tool if you give us advance warning.

In short, be sure that if you test forms with automation, that you follow the above.

Focus Areas

• Site vulnerabilities exploitable in current browsers
• User authentication
• Privilege escalation at centrify.force.com/support, centrify.force.com/partners - use of this domain for testing for escalation only please
• Privilege escalation at partners.centrify.com - use of this domain for testing for escalation only please

Out of Scope and Exclusions

Generally Out of Scope

• Please note that the Identity and Privilege service targets are heavily dependent on a SQL language abstraction for access to and visibility of data. This is an abstraction only, which does not allow for any write or update. The schema for this abstracted database is available intentionally and is visible in the product for reporting and interaction by end users. Row level access control is used to ensure visibility at read time. We consider SQLi reports which expose the schema or read-only interaction with our interface as out of scope. That said, if you discover injections which allows for changing/updating data we’d love to know!

• Any hosts or other external services not explicitly listed in the targets above (i.e. target applications outside the centrify cloud service itself, email hosts/clients). When testing remote access features like SSH/RDP, please target connections at only those resources you own/control.

• In some circumstances, customer/tenant configuration can be changed to provide a lower security threshold (i.e. no account lockout, no second factor, etc) - we consider deliberate configuration change followed by attack on that change out of scope.

• Disclosure of information that is public or does not present significant risk

• Vulnerabilities that we determine to be an acceptable risk

• Flaws affecting the users of out-of-date browsers and plugins. Typically will not reward any problems that affect only the users of outdated or un-patched browsers. In particular, we exclude Internet Explorer prior to version 9, Flash, signed Java Applets, etc.

• Defacing of any site or resource. Report if you think you can do it and how, but don't actually do it

Out of scope for mobile apps:

• Lack of exploit mitigation or anti-debugging controls
• Path disclosure in the binary
• Data stored within the sandbox filesystem or app private locations
• Runtime hacking exploits only possible in a jailbroken environment

General Exclusions

The following finding types are specifically excluded from the bounty:

• Exposition of Customer ID/Tenant ID - these are not 'secret'
• Username / email enumeration via Login experience
• D/DOS at the network level - though application/functional DOS through crafted arguments should be reported but not continually exploited.

Rewards

Category	Services Platform or Inter-Tenant	Intra-Tenant	Corporate Websites
P1	$3,000	$1,500	$1,500
P2	$1,800	$900	$900
P3	$500	$300	$300
P4	$200	$100	$100