We believe community researcher participation and building a secure foundation plays an integral role in protecting our customers and their data. We appreciate all security submissions and strive to respond in an expedient manner.
Okta is a cloud-based identity service that connects people to their applications from any device, anywhere, anytime. The Okta Identity Cloud provides directory services, single sign-on, strong authentication, provisioning, mobile device management and API access management. It comes with built-in reporting, and integrates deeply with cloud, mobile and on-premises applications, directories and identity management systems.
- In order to participate in Okta’s bug bounty program you are required to have a Bugcrowd account
- Visit the Okta Bugbounty Signup and enter your Bugcrowd ID (username)
- Two accounts will be created as follows : https://bugcrowd-username-1.oktapreview.com and https://bugcrowd-username-2.oktapreview.com
- Two emails will be sent to your registered Bugcrowd address
<please note that if you previously had an Okta account via the private program, your old account will still work (and consequently, you may not get an email for a new account). As such, you can simply use your old/existing subdomain/credentials/etc - please check your mail history for this information before messaging email@example.com>
Security Tester - ToDo
- Change the email address associated with the provided users so that you can handle your own password resets
- Create at least 2 other Admins in each ORG for resetting locked accounts and handling account problems.
- Follow the steps to setup and enforce MFA on each Login under "Required MFA Configuration"
Okta Expression Language
LDAP as a Service
Authentication Protocol Vulnerabilities (e.g. SAML, OAuth & OIDC,Social Auth )
XXE within the massive amount of XML data we accept
Okta Browser Plugin (IE / Firefox / Chrome)
Cross-Org Access / Multi-Tenancy Vulnerabilities
Privileged (Horizontal / Vertical) Escalation
All on-premise Agents (e.g. LDAP / AD / OPP / Radius / RSA)
Okta Mobile (iOS / Android)
Okta Verify (iOS / Android)
XSS and other Top 10 Issue such as Open Redirection and CSRF on sensitive page actions
Bug Payout Illustrative Examples
|EXAMPLE Vulnerability Type||Previous Reward||Updated Reward (as of 9/28)|
|Full RCE [Obtain a shell back from our network]||$15k||$25k|
|Full Privilege Escalation from one Okta Org to another Okta Org||$10k||$15k|
|Full Privilege Escalation within the same Okta Org||$5k||$10k|
|XXE Local file read [Read and Exfiltrate data OOB]||$5k||$10k|
|Working SQL Injection||$5k||$10k|
|OKTA SAML or oAuth implementation bugs||$5k||$10k|
|Full MFA Bypass *||N/A||$15k|
|Browser Plugin Compromise **||$1.5k||$15k|
|Working XSS (Affecting multiple users)||$1k||$2k|
|Mobile App Critical Vulnerability ***||$1k||$15k|
|Admin Cross-Site Request Forgery (CSRF)||$1K||$2k|
|Full Server-Side Request Forgery (SSRF)||$1K||$2k|
|User Cross-Site Request Forgery (CSRF)||$500||$1k|
|Critical Information Disclosure||$500||$1k|
|XSS affecting only the current user (Self-XSS)||$100||$100|
|Blind Server-Side Request Forgery (SSRF)||$100||$100|
|Forced Browsing / Insecure Direct Object References / URL Jumping||$100||$100|
|Business Logic issue (write / manipulate)||$100||$100|
|Other Security Issues||$100||$100|
"*" See the MFA Bypass section at the bottom of the page
"**" See the Browser Plugin Compromise section at the bottom of the page
"***" See the Mobile App Critical Vulnerability section at the bottom of the page
The above outlines the guidelines for rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope): Keep in mind that no two bugs are created equal. These payouts define general guidelines and level of importance of each vulnerability class. The Okta Security team will determine the nature and impact of the bugs to identify the appropriate payouts around these guidelines.
- Business Impact (how does this affect Okta?)
- Quality of report
- Steps to reproduce
- Working proof of concept
- Discoverability (how likely is this to be discovered)
- Exploitability (how likely is this to be exploited) # In-Scope / Out-of-Scope
Note: Anything not explicitly defined In-Scope is by default Out-of-Scope
- www.okta.com static site
- Backend Okta non-app infrastructure
- Network layer issues
- Anything not explicitly called out above as in-scope
- No automated scanning
- No DoS - Amazon prohibits this activity and testing cluster not scaled for these attacks
- Limit AD / LDAP Imports to 1000 users & groups
- Do NOT contact Okta support or helpdesk for bugbounty related concerns - please contact bugcrowd support
The following finding types are specifically excluded from the bounty:
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. login or contact form).
- Logout / Login Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Security Speedbump when leaving the site.
- No Captcha / Weak Captcha / Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced
- HTTP method enabled
- OPTIONS, PUT,GET,DELETE,INFO
- WebServer Type disclosures
- Social engineering of our service desk, employees or contractors
- Physical attacks against Okta's offices and data centers
- Error messages with non-sensitive data
- Non-application layer Denial of Service or DDoS
- Lack of HTTP Only / SECURE flag for cookies
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- SPF / DMARC / DKIM Mail and Domain findings
- Email Rate Limiting or Spamming
- DNSSEC Findings
- CSV Issues
- AV Scanning
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
- Cookie Issues
- multiple cookie setting
- Anything to do with JSESSIONID
- Service Rate Limiting
- User or Org enumeration
- Security Image Issues
- Business Logic READ Issues
- E.G. Any Admin can see Another Admin's users, devices, or download reports
- E.G. Read-Only Admin can see logs or other details
- E.G. Mobile Admin can see Super User details
Okta Public API References
Okta Configuration & Support Site
LDAP Agent Installation
LDAP as a Service
Desktop SSO / IWA
OAuth & OIDC
Please check current Release Notes to see what's new. New code is released weekly.
Chaining of bugs is not frowned upon in any way, we love to see clever exploit chains! However, if you have managed to compromise an Okta owned server we do not allow for escalations such as port scanning internal networks, privilege escalation attempts, attempting to pivot to other systems, etc. If you get access this level of access to a server please report it us and we will reward you with an appropriate bounty taking into full consideration the severity of what could be done. Chaining a CSRF vulnerability with a self XSS? Nice! Using AWS access key to dump sensitive info? Not cool.
Unsure of a vuln?
We base all payouts on impact - when in doubt the question always comes down to impact (aka what can actually be done with the vulnerability and what is the consequence to Okta). If you can demonstrate why a finding has significant impact then please submit.
As an example: Let's say you can, as a limited admin, see logs that are not in your user role - What is the impact? If this allows you to compromise something else then please detail the full exploit chain and report. However if the only impact is reading logs.. then there is no need to report it as it would fall under - Business Logic READ issues.
Bugs of similar nature or root cause reported by the same person may be combined into one item, thus constituting only a single award.
Required MFA Configuration
All orgs are created with a minimal configuration and it's the customer's (your responsibility) to configure the environment to enforce MFA enrollment AND validation.
First Require MFA Enrollment
Security -> Multifactor -> Factor Enrollment
Second set a factor to be required for all login (i.e. Security Questions or Okta Verify)
Security -> Authentication -> Sign On : Default Policy (Or which ever policy is in the #1 position and assigned to everyone)
anywhere / all the time
Prompt for Factor
This manual configuration above is required to fully enable MFA validation for users and admins within your Okta org
Full MFA Bypass
- The above "Required MFA Configuration" must be added
- If applications are the target MFA must be required per-app with no exceptions
- MFA Bypass would include mechanisms to avoid, remove, or compromise of MFA server side for a customer.
- Examples of unacceptable submissions would include turning off MFA, changing MFA as the admin, changing MFA policies as the admin, bypassing local-only checks
Browser Plugin Compromise
- Critical browser plugin vulnerabilities would include a compromise of the entire plugin on any supported platform. Accepted, but not critical, issues would include single site reg-ex confusion, inappropriate interaction with the plugin from the target DOM, API vulnerabilities in usage or implementation for the os/browser.
- Examples of unacceptable submissions would include directly modifying the plugin on the host, creating a fake plugin, theoretical issues that can not be reproduced.
Mobile App Critical Vulnerability
- Critical mobile application vulnerabilities would include a compromise of the mobile application from the network, other apps on the device, 3rd party library vulnerabilities, or via accessible APIs.
- Examples of unacceptable submissions would include enhancement recommendations, issues that are only exploitable on JailBroken / Rooted devices and do not work on un-modified equipment, and reports related to hooking, wrapping, or replacing the application.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.