Cisco ThousandEyes Vulnerability Hunting aka Bug Bounty

  • $200 – $4,500 per vulnerability
  • Partial safe harbor
  • No collaboration

Program stats

  • Vulnerabilities rewarded 101
  • Validation within 13 days 75% of submissions are accepted or rejected within 13 days
  • Average payout $813.33 within the last 3 months

Latest hall of famers

Recently joined this program

Cisco ThousandEyes enables organizations to see and take action to maintain and optimize every digital journey that matters. From application experience to hop-by-hop network path and performance, Cisco ThousandEyes provides end-to-end visibility from every user to any application over any network. Now, you can maximize the value of your digital investments and leverage them to drive differentiation in the market.

No technology is perfect, and ThousandEyes believes that working with skilled security researchers worldwide is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher and help us identify vulnerabilities in our targets. Good luck, and happy hunting!

Important Guidelines: (Must Read)

  • Please ensure that the string "Bugcrowd-<BugcrowdUsername>" is appended to your user agent for all HTTP/HTTPS traffic before performing any testing. Example instructions on how to modify the user agent string for Chrome can be found here, and for Burp Suite can be found here.
  • Automated vulnerability scans are strictly prohibited (this includes any brute-force enumeration).
  • Maintaining confidentiality regarding any vulnerabilities you discover between ThousandEyes and yourself is crucial. Unauthorized disclosure can lead to removal from the Program and forfeiture of any reward.
  • At any point as a researcher, you are not allowed to modify/test any existing customer data or download any information other than from the Trial account or ThousandEyes grant to which you have been given access. Accessing/modifying any customer account or attempting to download customer data as part of vulnerability testing will lead to stricter actions, including termination and a ban from all Cisco programs, including ThousandEyes, given that these activities can not be considered researcher activities.
  • It's strictly forbidden to conduct any form of Denial of Service testing. If you identify a vector by which DoS can be performed, please get in touch with USSR@thousandeyes.com or submit a submission write-up.
  • Please note that as a bug bounty program participant, you play a crucial role in maintaining the security and availability of this live production environment.
  • This is a Private Program, so you must refrain from discussing program details, including Program name, scope, Vulnerability details, bounty structure, account information, or any other detail to anyone who is not a Bugcrowd employee or member of this Program. When collaborating with other Finders on the Program, do so securely, per the disclosure requirements listed in Bugcrowd's Code of Conduct.
  • Please clearly follow account creation guidelines for testing, including account naming and email conventions. Your submission may only be accepted if you adhere to those guidelines.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases, a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher, and the opportunity to appeal and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.