• $100 – $25,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

134 vulnerabilities rewarded

Validation within 16 days
75% of submissions are accepted or rejected within 16 days

$513.63 average payout (last 3 months)

Latest hall of famers

Recently joined this program

602 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We believe community researcher participation and building a secure foundation plays an integral role in protecting our customers and their data. We appreciate all security submissions and strive to respond in an expedient manner.

Okta is a cloud-based identity service that connects people to their applications from any device, anywhere, anytime. The Okta Identity Cloud provides directory services, single sign-on, strong authentication, provisioning, mobile device management and API access management. It comes with built-in reporting, and integrates deeply with cloud, mobile and on-premises applications, directories and identity management systems.


In scope

Target name Type Tags
bugcrowd-%username%-1.oktapreview.com Website Testing
  • Backbone
  • nginx
bugcrowd-%username%-2.oktapreview.com Website Testing
  • Backbone
  • nginx
Okta Mobile MDM (iOS) iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Okta Mobile MDM (Android) Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Okta Browser Plugin (IE / Firefox / Chrome) Other
Okta Verify (iOS) iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Okta Verify (Android) Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Okta Agent Linux Other
Okta Agent Windows Other

Account Creation


  • In order to participate in Okta’s bug bounty program you are required to have a Bugcrowd account
  • Visit the Okta Bugbounty Signup and enter your Bugcrowd ID (username)
  • Two accounts will be created as follows : https://bugcrowd-username-1.oktapreview.com and https://bugcrowd-username-2.oktapreview.com
  • Two emails will be sent to your registered Bugcrowd address

<please note that if you previously had an Okta account via the private program, your old account will still work (and consequently, you may not get an email for a new account). As such, you can simply use your old/existing subdomain/credentials/etc - please check your mail history for this information before messaging support@bugcrowd.com>

Security Tester - ToDo

  • Change the email address associated with the provided users so that you can handle your own password resets
  • Create at least 2 other Admins in each ORG for resetting locked accounts and handling account problems.
  • Follow the steps to setup and enforce MFA on each Login under "Required MFA Configuration"

Focus Areas

Okta Expression Language
LDAP as a Service
Authentication Protocol Vulnerabilities (e.g. SAML, OAuth & OIDC,Social Auth )
XXE within the massive amount of XML data we accept
Okta Browser Plugin (IE / Firefox / Chrome)
Cross-Org Access / Multi-Tenancy Vulnerabilities
Privileged (Horizontal / Vertical) Escalation
All on-premise Agents (e.g. LDAP / AD / OPP / Radius / RSA)
Okta Mobile (iOS / Android)
Okta Verify (iOS / Android)
XSS and other Top 10 Issue such as Open Redirection and CSRF on sensitive page actions

Bug Payout Illustrative Examples

EXAMPLE Vulnerability Type Previous Reward Updated Reward (as of 9/28)
Full RCE [Obtain a shell back from our network] $15k $25k
Full Privilege Escalation from one Okta Org to another Okta Org $10k $15k
Full Privilege Escalation within the same Okta Org $5k $10k
XXE Local file read [Read and Exfiltrate data OOB] $5k $10k
Working SQL Injection $5k $10k
OKTA SAML or oAuth implementation bugs $5k $10k
Full MFA Bypass * N/A $15k
Browser Plugin Compromise ** $1.5k $15k
Working XSS (Affecting multiple users) $1k $2k
Mobile App Critical Vulnerability *** $1k $15k
Admin Cross-Site Request Forgery (CSRF) $1K $2k
Full Server-Side Request Forgery (SSRF) $1K $2k
User Cross-Site Request Forgery (CSRF) $500 $1k
Open Redirection $500 $1k
Critical Information Disclosure $500 $1k
XSS affecting only the current user (Self-XSS) $100 $100
Blind Server-Side Request Forgery (SSRF) $100 $100
Forced Browsing / Insecure Direct Object References / URL Jumping $100 $100
Business Logic issue (write / manipulate) $100 $100
Other Security Issues $100 $100

"*" See the MFA Bypass section at the bottom of the page

"**" See the Browser Plugin Compromise section at the bottom of the page

"***" See the Mobile App Critical Vulnerability section at the bottom of the page

The above outlines the guidelines for rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope): Keep in mind that no two bugs are created equal. These payouts define general guidelines and level of importance of each vulnerability class. The Okta Security team will determine the nature and impact of the bugs to identify the appropriate payouts around these guidelines.

Report Criteria

  • Business Impact (how does this affect Okta?)
  • Quality of report
    • Steps to reproduce
    • Working proof of concept
  • Discoverability (how likely is this to be discovered)
  • Exploitability (how likely is this to be exploited) # In-Scope / Out-of-Scope

Note: Anything not explicitly defined In-Scope is by default Out-of-Scope

In-Scope Items

  • bugcrowd-%username%-1.oktapreview.com
  • bugcrowd-%username%-2.oktapreview.com

Out-of-Scope Items

  • *.okta.com
  • *.trexcloud.com
  • support.okta.com
  • pages.okta.com
  • developer.okta.com
  • trust.okta.com
  • www.okta.com static site
  • Backend Okta non-app infrastructure
  • Network layer issues
  • Anything not explicitly called out above as in-scope


  • No automated scanning
  • No DoS - Amazon prohibits this activity and testing cluster not scaled for these attacks
  • Limit AD / LDAP Imports to 1000 users & groups
    • Do NOT contact Okta support or helpdesk for bugbounty related concerns - please contact bugcrowd support

The following finding types are specifically excluded from the bounty:

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. login or contact form).
  • Logout / Login Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Security Speedbump when leaving the site.
  • No Captcha / Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced
  • HTTP method enabled
  • WebServer Type disclosures
  • Social engineering of our service desk, employees or contractors
  • Physical attacks against Okta's offices and data centers
  • Error messages with non-sensitive data
  • Non-application layer Denial of Service or DDoS
  • Lack of HTTP Only / SECURE flag for cookies
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SPF / DMARC / DKIM Mail and Domain findings
  • Email Rate Limiting or Spamming
  • DNSSEC Findings
  • CSV Issues
  • AV Scanning
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • Cookie Issues
    • SECURE
    • multiple cookie setting
    • Anything to do with JSESSIONID
  • Service Rate Limiting
  • User or Org enumeration
  • Security Image Issues
  • Business Logic READ Issues
    • E.G. Any Admin can see Another Admin's users, devices, or download reports
    • E.G. Read-Only Admin can see logs or other details
    • E.G. Mobile Admin can see Super User details

Reference Information

Okta Public API References
Okta Configuration & Support Site
AD Agent
Radius Agent
LDAP Agent Installation
LDAP as a Service
Desktop SSO / IWA
Browser Plugin
OAuth & OIDC
OAuth Overview
Social Auth

Please check current Release Notes to see what's new. New code is released weekly.

Chaining Bugs

Chaining of bugs is not frowned upon in any way, we love to see clever exploit chains! However, if you have managed to compromise an Okta owned server we do not allow for escalations such as port scanning internal networks, privilege escalation attempts, attempting to pivot to other systems, etc. If you get access this level of access to a server please report it us and we will reward you with an appropriate bounty taking into full consideration the severity of what could be done. Chaining a CSRF vulnerability with a self XSS? Nice! Using AWS access key to dump sensitive info? Not cool.

Unsure of a vuln?

We base all payouts on impact - when in doubt the question always comes down to impact (aka what can actually be done with the vulnerability and what is the consequence to Okta). If you can demonstrate why a finding has significant impact then please submit.

As an example: Let's say you can, as a limited admin, see logs that are not in your user role - What is the impact? If this allows you to compromise something else then please detail the full exploit chain and report. However if the only impact is reading logs.. then there is no need to report it as it would fall under - Business Logic READ issues.

Additional Details

Similar Bugs

Bugs of similar nature or root cause reported by the same person may be combined into one item, thus constituting only a single award.

Required MFA Configuration

All orgs are created with a minimal configuration and it's the customer's (your responsibility) to configure the environment to enforce MFA enrollment AND validation.

First Require MFA Enrollment

Security -> Multifactor -> Factor Enrollment

Second set a factor to be required for all login (i.e. Security Questions or Okta Verify)

Security -> Authentication -> Sign On : Default Policy (Or which ever policy is in the #1 position and assigned to everyone)

Add Rule
Set to anywhere / all the time
CHECK Prompt for Factor
Select Every Time

This manual configuration above is required to fully enable MFA validation for users and admins within your Okta org

Full MFA Bypass

  • The above "Required MFA Configuration" must be added
  • If applications are the target MFA must be required per-app with no exceptions
  • MFA Bypass would include mechanisms to avoid, remove, or compromise of MFA server side for a customer.
  • Examples of unacceptable submissions would include turning off MFA, changing MFA as the admin, changing MFA policies as the admin, bypassing local-only checks

Browser Plugin Compromise

  • Critical browser plugin vulnerabilities would include a compromise of the entire plugin on any supported platform. Accepted, but not critical, issues would include single site reg-ex confusion, inappropriate interaction with the plugin from the target DOM, API vulnerabilities in usage or implementation for the os/browser.
  • Examples of unacceptable submissions would include directly modifying the plugin on the host, creating a fake plugin, theoretical issues that can not be reproduced.

Mobile App Critical Vulnerability

  • Critical mobile application vulnerabilities would include a compromise of the mobile application from the network, other apps on the device, 3rd party library vulnerabilities, or via accessible APIs.
  • Examples of unacceptable submissions would include enhancement recommendations, issues that are only exploitable on JailBroken / Rooted devices and do not work on un-modified equipment, and reports related to hooking, wrapping, or replacing the application.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In addition to the above standard disclosure terms, by participating in this program, you're agreeing to abide by Okta's Vulnerability Disclosure Policy and Supplemental Terms.

This bounty requires explicit permission to disclose the results of a submission.