Okta (virtual) Bug Bash: 2021!

  • $200 – $50,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Compliance

After joining, you will need to meet the compliance requirements to participate in this program.
  • Signed Document

This is the teaser page of a private program

Public code summer-dew-3152

Use this public code to communicate with Bugcrowd support about this program.

Ever wanted to participate in a Bug Bash, but never got an invite or didn't know how to get on the list? Now's your chance!

There are limited seats, but we want to make sure everyone has a chance to participate. If you feel your skills are a great fit for the specifications listed below, please apply, and we'll work to review all applicants as quickly as possible.

For this bash there's going to be a heavy emphasis on testing some new Okta binaries - which is to say that if you're a pro with IDA Pro or Ghidra, then this may be the bash for you. Researchers with a strong background in reverse engineering or binary exploitation will be prioritized.

Of course, there's going to be a heavy dose of webapp scope for classical webapp vulnerabilities - so if you've got a strong background in testing SAML or IDPs, then you're probably a shoo-in for an invite as well.

And finally, we can't forget about the mobile and API components. If you're a certified mobile or API gangster, we'd love to have ya onboard to help make piles of money and help secure the world's leading SSO provider at the same time.

Also, if you've got a crew that's a finely tuned wrecking ball, collaboration is massively encouraged for this program, so bring your team and do some damage!

This program will take place with a two week pre-testing phase from June 28th to July 11th, with the main bash event itself taking place from the 12th to the 14th of July.

Reward range

Last updated

Technical severity Reward range
p1 Critical $20,000 - $50,000
p2 Severe $10,000 - $15,000
p3 Moderate $1,000 - $2,000
p4 Low $200 - $400
P5 submissions do not receive any rewards for this program.

Targets

  • website
  • other
  • ios
  • android

The targets provide directory services, single sign-on, strong authentication, provisioning, mobile device management and API access management. It comes with built-in reporting, and integrates deeply with cloud, mobile and on-premises applications, directories and identity management systems.

The in scope applications utilize technologies like Kotlin, Java, Swift, Objective-C and more!

Rewards for this program are as follows:

Priority Rewards
P1 $38,000 - $50,000
P2 $10,000 - $15,000
P3 $1,000 - $2,000
P4 $200 - $400

Additionally, bonuses will be paid for accomplishing certain objectives, such as first P1, best collaboration, and finding the most bugs. There's opportunity aplenty for everyone (swag and physical prizes will also be provided for participants, as well as those who dominate specific categories)... it's gonna be a good time. Looking forward to seeing you there!