Program stats

49 vulnerabilities rewarded

5 days average response time

$634.26 average payout (last 12 weeks)

Latest hall of famers

Recently joined this program

251 total

We believe community researcher participation and building a secure foundation plays an integral role in protecting our customers and their data. We appreciate all security submissions and strive to respond in an expedient manner.

Okta is a cloud-based identity service that connects people to their applications from any device, anywhere, anytime. The Okta Identity Cloud provides directory services, single sign-on, strong authentication, provisioning, mobile device management and API access management. It comes with built-in reporting, and integrates deeply with cloud, mobile and on-premises applications, directories and identity management systems.

Targets

Account Creation

Steps

  • In order to participate in Okta’s bug bounty program you are required to have a Bugcrowd account
  • Visit the Okta Bugbounty Signup and enter your Bugcrowd ID (username)
  • Two accounts will be created as follows : https://bugcrowd-username-1.oktapreview.com and https://bugcrowd-username-2.oktapreview.com
  • Two emails will be sent to your registered Bugcrowd address

<please note that if you previously had an Okta account via the private program, your old account will still work (and consequently, you may not get an email for a new account). As such, you can simply use your old/existing subdomain/credentials/etc - please check your mail history for this information before messaging support@bugcrowd.com>

Security Tester - ToDo

  • Change the email address associated with the provided users so that you can handle your own password resets
  • Create at least 2 other Admins in each ORG for resetting locked accounts and handling account problems.

Please check current Release Notes to see what's new. New code is released weekly.

Bug Payout Illustrative Examples

$ Type
$15k Full RCE [Obtain a shell back from our network]
$10k Full Privilege Escalation from one Okta Org to another Okta Org
$5k Full Privilege Escalation within the same Okta Org
$5k XXE Local file read [Read and Exfiltrate data OOB]
$5k Working SQL Injection
$2.5k SAML or OAuth implementation bugs
$750 Working XSS (Non-admin to Admin, Affecting multiple users)
$750 CSRF admin UI
$500 Open Redirection
$500 CSRF on non-admin UI
$500 Critical Information Disclosure
$100 XSS affecting only the current user (Self-XSS)
$50 Forced Browsing / Insecure Direct Object References / URL Jumping
$50 Business Logic issue
$50 Other Security Issues

The above outlines the guidelines for rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope): Keep in mind that no two bugs are created equal. These payouts define general guidelines and level of importance of each vulnerability class. The Okta Security team will determine the nature and impact of the bugs to identify the appropriate payouts around these guidelines.

In-Scope / Out-of-Scope

Note: Anything not explicitly defined In-Scope is by default Out-of-Scope

In-Scope Items

  • bugcrowd-%username%-1.oktapreview.com
  • bugcrowd-%username%-2.oktapreview.com

Out-of-Scope Items

  • *.okta.com
  • *.oktapreview.com
  • *.trexcloud.com
  • pages.okta.com
  • developer.okta.com
  • trust.okta.com
  • www.okta.com static site
  • Backend Okta non-app infrastructure
  • Network layer issues
  • Anything not explicitly called out above as in-scope

Restrictions

  • No automated scanning
  • No DoS - Amazon prohibits this activity and testing cluster not scaled for these attacks
  • Limit AD / LDAP Imports to 1000 users & groups

The following finding types are specifically excluded from the bounty:

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. login or contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Security Speedbump when leaving the site.
  • No Captcha / Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced
  • OPTIONS HTTP method enabled
  • WebServer Type disclosures
  • Social engineering of our service desk, employees or contractors
  • Physical attacks against Okta's offices and data centers
  • Error messages with non-sensitive data
  • Non-application layer Denial of Service or DDoS
  • Lack of HTTP Only / SECURE flag for cookies
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SPF / DMARC / DKIM Mail and Domain findings
  • DNSSEC Findings
  • CSV Issues
  • AV Scanning
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites

Chaining Bugs

Chaining of bugs is not frowned upon in any way, we love to see clever exploit chains! However, if you have managed to compromise an Okta owned server we do not allow for escalations such as port scanning internal networks, privilege escalation attempts, attempting to pivot to other systems, etc. If you get access this level of access to a server please report it us and we will reward you with an appropriate bounty taking into full consideration the severity of what could be done. Chaining a CSRF vulnerability with a self XSS? Nice! Using AWS access key to dump sensitive info? Not cool.

Additional Details

Similar Bugs

Bugs of similar nature or root cause reported by the same person may be combined into one item, thus constituting only a single award.

Reference Information

Focus Areas

  • Cross-Org Access / Multi-Tenancy Vulnerabilities
  • Authentication Protocol Vulnerabilities (For e.g. SAML Implementation Flaws)
  • Privileged (Horizontal / Vertical) Escalation
  • All on-premise Agents (e.g. LDAP / AD / OPP / Radius / RSA)
  • Okta Browser Plugin (IE / Firefox / Chrome)
  • Okta Mobile MDM (iOS / Android)
  • Okta Verify (iOS / Android)
  • Remote Code Execution
  • SQL Injection Descriptive SQL Error Messages
  • XSS and other Top 10 Issue such as Open Redirection and CSRF on sensitive page actions

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

In addition to the above standard disclosure terms, by participating in this program, you're agreeing to abide by the Okta rules defined by the program here.

This bounty requires explicit permission to disclose the results of a submission.