READ THIS FIRST:
- Configure your scanners:
- ALL TARGETS: Include "bugcrowd" in the user-agent string
- CORPORATE WEBSITE: Populate email fields with your @bugcrowdninja.com address (for more info regarding @bugcrowdninja email addresses, see here: https://researcherdocs.bugcrowd.com/v2.0/docs/your-bugcrowdninja-email-address)
- Scope is limited - READ THE BRIEF BEFORE TESTING
For this program, we are inviting researchers to test our community and customer facing web resources, as well as our Privilege Service. For high level product information, see: https://www.centrify.com/privileged-access-management/
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Out of scope
Please note: Any domain/property of Centrify Corporation not listed in the targets section is out of scope. This includes any/all domains, subdomains or names not listed in the targets below.
The Centrify Privilege Service is a multi-tenanted cloud service. In order to test, you will need to register for your own tenant. Please use the instructions below to register as a bugcrowd tester. Registration will then give you access to a Bugcrowd cloud instance hosted at pod12.centrify.com.
For this target, the only in-scope hosts are:
- pod12.centrify.com (and any *.my.centrify.com which cnames to the same)
- pod23.centrify.com (and any *.gateway.centrify.com which cnames to the same)
Registering For A Tenant
Visit: https://www.centrify.com/bugcrowd-researcher-registration/ and fill out the form
Please use your @bugcrowdninja.com email address (for more info regarding @bugcrowdninja email addresses, see here: https://researcherdocs.bugcrowd.com/v2.0/docs/your-bugcrowdninja-email-address)
A mail will be sent to your address to verify you have access to it. Using the link in the email will activate your tenant, and another email will be sent with access information for your tenant, including initial administrative credentials.
You can register for additional tenants by repeating these steps. Please restrict the number of tenants created to at most 2 per researcher.
Web Application and REST API
Intra-tenant data visibility - i.e. ability to see restricted information within the current tenant without appropriate based access being granted first in any portion of the product, either through data exposition, or escalation of privilege.
Cross-tenant data visibility - All data stored on behalf of a given tenant should be visible only within that tenant. Please use an additional tenant of your own to test these boundaries.
The /resources, /my and /manage web applications and the underlying REST API surface used by them. Note that API is documented: http://developer.centrify.com
Agents and Installable Clients
There are a number of clients and agents which are in scope and can be downloaded from within the product, these are:
Centrify Agent for Linux - Enables application to application password management
Centrify Agent for Windows - Enables Cloud integrated Multi-Factor Authentication for Windows sign in
Centrify Cloud Connector - Enables connectivity to Active Directory, Application Gateway (reverse web proxy), remote SSH/RDP access, etc
Local Client Launcher - Enables launching SSH/RDP sessions from browser through native applications like Putty
Corporate Web Presence
The corporate web presence of Centrify is the second target of this program. In scope for this program is:
No other *.centrify.com or related hosts, subdomains or sites are in scope.
Registering for an account
- Visit https://www.centrify.com/signup/
- Use an @bugcrowdninja.com email address here
- Use "bugcrowd" for First Name, Last Name and Company Name fields
- You will get an email back from this form and must click the validation link.
- This account will only give you basic permissions. You should not be able to access protected functions/content of the Customer Support Portal and the Partner Portal.
- Use an @bugcrowdninja.com email address
- Use "bugcrowd" for First Name, Last Name and Company Name fields
- Don't expect the forms to actually email you. We are preventing *@bugcrowdninja.com from entering the normal lead flow.
Also, when using automated tools that post to forms:
- Please identify yourself in your testing and be ready to shut down the tool if notified.
- Please be aware of what email address will be attempted. If the tool will attempt to use valid looking email addresses please consult the SPAM blacklist
Current SPAM blacklist on email address field:
This SPAM list has proven effective so far against Acunetix and NetSparker and others. But, we will happily add a few specific email addresses or domains to accommodate your tool if you give us advance warning.
In short, be sure that if you test forms with automation, that you follow the above.
- Site vulnerabilities exploitable in current browsers
- User authentication
- Privilege escalation at centrify.force.com/support, centrify.force.com/partners - use of this domain for testing for escalation only please
- Privilege escalation at partners.centrify.com - use of this domain for testing for escalation only please
Out of Scope and Exclusions
Generally Out of Scope
Mobile apps and browser extensions associated with Centrify services are currently out of scope for this bounty.
Please note that the Privilege service targets are heavily dependent on a SQL language abstraction for access to and visibility of data. This is an abstraction only, which does not allow for any write or update. The schema for this abstracted database is available intentionally and is visible in the product for reporting and interaction by end users. Row level access control is used to ensure visibility at read time. We consider SQLi reports which expose the schema or read-only interaction with our interface as out of scope. That said, if you discover injections which allows for changing/updating data we’d love to know!
Any hosts or other external services not explicitly listed in the targets above (i.e. target applications outside the centrify cloud service itself, email hosts/clients). When testing remote access features like SSH/RDP, please target connections at only those resources you own/control.
In some circumstances, customer/tenant configuration can be changed to provide a lower security threshold (i.e. no account lockout, no second factor, etc) - we consider deliberate configuration change followed by attack on that change out of scope.
Disclosure of information that is public or does not present significant risk
Vulnerabilities that we determine to be an acceptable risk
Flaws affecting the users of out-of-date browsers and plugins. Typically will not reward any problems that affect only the users of outdated or un-patched browsers. In particular, we exclude Internet Explorer prior to version 9, Flash, signed Java Applets, etc.
Defacing of any site or resource. Report if you think you can do it and how, but don't actually do it
The following finding types are specifically excluded from the bounty:
- Exposition of Customer ID/Tenant ID - these are not 'secret'
- Username / email enumeration via Login experience
- D/DOS at the network level - though application/functional DOS through crafted arguments should be reported but not continually exploited.