|Scope Type||Scope Name|
|api||Centrify Service API|
|other||Centrify Agent for Windows|
|other||Centrify Cloud Connector|
|other||Local Client Launcher|
Out of Scope
|Scope Type||Scope Name|
|android_application||Centrify Android App|
|ios_application||Centrify iOS App|
|other||Centrify Browser Extension|
For this program, we are inviting researchers to test our community and customer facing web resources, as well as our Privilege Service. For high level product information, see: https://www.centrify.com/privileged-access- management/
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Target name | Type
pod23.centrify.com | Website
pod12.centrify.com | Website
<https://www.centrify.com> | Website
Centrify Privilege Service Portal | Website
Centrify Service API | API
Centrify Agent for Windows | Other
Centrify Cloud Connector | Other
Local Client Launcher | Other
Target name | Type
Centrify iOS App | iOS
Centrify Android App | Android
Centrify Browser Extension | Other
Please note : Any domain/property of Centrify Corporation not listed in the targets section is out of scope. This includes any/all domains, subdomains or names not listed in the targets below.
The Centrify Privilege Service is a multi-tenanted cloud service. In order to test, you will need to register for your own tenant. Please use the instructions below to register as a bugcrowd tester. Registration will then give you access to a Bugcrowd cloud instance hosted at pod12.centrify.com.
For this target, the only in-scope hosts are:
Visit: https://www.centrify.com/free-trial/identity-service-for-bugcrowd-researchers and fill out the form
Please use "bugcrowd" for first and last name
Please use your @bugcrowdninja.com email address (for more info regarding @bugcrowdninja email addresses, see here: https://researcherdocs.bugcrowd.com/v2.0/docs/your-bugcrowdninja-email-address)
A mail will be sent to your address to verify you have access to it. Using the link in the email will activate your tenant, and another email will be sent with access information for your tenant, including initial administrative credentials.
You can register for additional tenants by repeating these steps. Please restrict the number of tenants created to at most 2 per researcher.
Intra-tenant data visibility - i.e. ability to see restricted information within the current tenant without appropriate based access being granted first in any portion of the product, either through data exposition, or escalation of privilege.
Cross-tenant data visibility - All data stored on behalf of a given tenant should be visible only within that tenant. Please use an additional tenant of your own to test these boundaries.
The /resources, /my and /manage web applications and the underlying REST API surface used by them. Note that API is documented: http://developer.centrify.com
There are a number of clients and agents which are in scope and can be downloaded from within the product, these are:
Centrify Agent for Linux - Enables application to application password management
Centrify Agent for Windows - Enables Cloud integrated Multi-Factor Authentication for Windows sign in
Centrify Cloud Connector - Enables connectivity to Active Directory, Application Gateway (reverse web proxy), remote SSH/RDP access, etc
Local Client Launcher - Enables launching SSH/RDP sessions from browser through native applications like Putty
The corporate web presence of Centrify is the second target of this program. In scope for this program is:
No other *.centrify.com or related hosts, subdomains or sites are in scope.
Also, when using automated tools that post to forms:
Current SPAM blacklist on email address field:
This SPAM list has proven effective so far against Acunetix and NetSparker and others. But, we will happily add a few specific email addresses or domains to accommodate your tool if you give us advance warning.
In short, be sure that if you test forms with automation, that you follow the above.
Mobile apps and browser extensions associated with Centrify services are currently out of scope for this bounty.
Please note that the Privilege service targets are heavily dependent on a SQL language abstraction for access to and visibility of data. This is an abstraction only, which does not allow for any write or update. The schema for this abstracted database is available intentionally and is visible in the product for reporting and interaction by end users. Row level access control is used to ensure visibility at read time. We consider SQLi reports which expose the schema or read-only interaction with our interface as out of scope. That said, if you discover injections which allows for changing/updating data we’d love to know!
Any hosts or other external services not explicitly listed in the targets above (i.e. target applications outside the centrify cloud service itself, email hosts/clients). When testing remote access features like SSH/RDP, please target connections at only those resources you own/control.
In some circumstances, customer/tenant configuration can be changed to provide a lower security threshold (i.e. no account lockout, no second factor, etc) - we consider deliberate configuration change followed by attack on that change out of scope.
Disclosure of information that is public or does not present significant risk
Vulnerabilities that we determine to be an acceptable risk
Flaws affecting the users of out-of-date browsers and plugins. Typically will not reward any problems that affect only the users of outdated or un-patched browsers. In particular, we exclude Internet Explorer prior to version 9, Flash, signed Java Applets, etc.
Defacing of any site or resource. Report if you think you can do it and how, but don't actually do it
The following finding types are specifically excluded from the bounty:
Category | Privilege Service or Inter-Tenant | Intra-Tenant | Corporate
P1 | $3,000 | $1,500 | $1,500
P2 | $1,800 | $900 | $900
P3 | $500 | $300 | $300
P4 | $200 | $100 | $100
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.