Program stats

63 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$430 average payout (last 3 months)

Latest hall of famers

Recently joined this program

174 total


Cylance encourages researchers to follow responsible disclosure procedures when reporting security issues in our products, services, websites, or infrastructure. Cylance is committed to engaging with the research community in a positive, professional, mutually beneficial manner that protects our customers. Submissions will be reviewed within 30 days.

Access to Systems and Products

*Please do not contact any Cylance support portal ( for test accounts or any other matter. We do not issue test accounts. Please use Bugcrowd platform as your primary communication channel with Cylance.
*Cylance will not issue copies of products or software for the purposes of testing.


Out of scope


Cylance will reward reports according to their severity on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs; we may also pay less for bugs with complex prerequisites that lower risk of exploitation. Please note that all amounts are up to the payment range (for example - P1 = Up to $1000).


To qualify for a reward under this program, you must:

  • Be the first to discover a specific vulnerability.
  • The vulnerability exists in current supported versions of our products.
  • Provide verifiable proof the vulnerability exists. Send screen shot and a clear text description of the report along with steps to reproduce the vulnerability. Include attachments such as proof of concept code as necessary.
  • Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we addressed your report forfeit the reward.
  • Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not impact the Cylance supporting services and infrastructure.
  • Cylance employees are ineligible from participating in external program.

Note: posting details or communications about this report before it has been approved for disclosure or posting details that reflect badly on this program and the Cylance brand will result in forfeiture of any award and/or immediate removal from the program.

Non-qualifying Vulnerabilities and Exclusions

  • Vulnerabilities released published that are less than 72 hours old
  • Social engineering attempts on Cylance personnel or our customers including phishing emails
  • Vulnerabilities based upon social engineering or misleading customers including phishing
  • Physical security attempts against Cylance property or Data Centers
  • Denial of Service attacks
  • Attempts to access our offices or data centers
  • Vulnerabilities in a vendor we integrate with or 3rd party software used in our products.
  • Use of automated tools that could generate significant traffic and possibly impair the functioning of our products
  • Acquisitions within 6 months of public notice
  • Vulnerabilities in obsolete (EOLed) versions of our products
  • Missing additional security controls, such as HSTS or CSP headers.
  • Login/Logout CSRF.
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Cookie flags (for non-sensitive cookies).
  • Brute-force / Rate-limiting / Velocity throttling.
  • Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.
  • Denial-of-service attacks.
  • Content spoofing / text injection.
  • Presence of autocomplete attribute on web forms.
  • ClickJacking / TabNabbing attacks
  • E-Mail spoofing
  • XSS Errors
  • Web content in our robots.txt file.
  • Findings within /_hcms/protected/auth
  • Banner Exposure / Version Disclosure
  • Full Path Disclosure
  • Please note and is strictly OUT OF SCOPE.


  • Cylance reserves the right to cancel or modify this program at any time. All engagements will be honored to the conditions in existence at the time of verification of the issue.
  • If you’re a minor, on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward.
  • Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.
  • Rewards may be reduced or declined if there is evidence of abuse, such as data exfiltration or withholding reports in order to chain multiple issues together.
  • And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within Cylance discretion.


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.