Banner object (1)

Hack and Take the Cash !

851 bounties in database
  Back Link to program      
22/03/2018
Centrify logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

Centrify

READ THIS FIRST:

- Configure your scanners:

- Scope is limited - READ THE BRIEF BEFORE TESTING


For this program, we are inviting researchers to test our community and customer facing web resources, as well as our Privilege Service. For high level product information, see: https://www.centrify.com/privileged-access- management/

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Targets

In scope

Target name | Type
---|---
pod23.centrify.com | Website
pod12.centrify.com | Website
<https://www.centrify.com> | Website
Centrify Privilege Service Portal | Website
Centrify Service API | API
Centrify Agent for Windows | Other
Centrify Cloud Connector | Other
Local Client Launcher | Other

Out of scope

Target name | Type
---|---
Centrify iOS App | iOS
Centrify Android App | Android
Centrify Browser Extension | Other

Please note : Any domain/property of Centrify Corporation not listed in the targets section is out of scope. This includes any/all domains, subdomains or names not listed in the targets below.

Privilege Service

The Centrify Privilege Service is a multi-tenanted cloud service. In order to test, you will need to register for your own tenant. Please use the instructions below to register as a bugcrowd tester. Registration will then give you access to a Bugcrowd cloud instance hosted at pod12.centrify.com.

For this target, the only in-scope hosts are:

  • pod12.centrify.com (and any *.my.centrify.com which cnames to the same)
  • pod23.centrify.com (and any *.gateway.centrify.com which cnames to the same)

Registering For A Tenant

Focus Areas

Web Application and REST API

  • Intra-tenant data visibility - i.e. ability to see restricted information within the current tenant without appropriate based access being granted first in any portion of the product, either through data exposition, or escalation of privilege.

  • Cross-tenant data visibility - All data stored on behalf of a given tenant should be visible only within that tenant. Please use an additional tenant of your own to test these boundaries.

  • The /resources, /my and /manage web applications and the underlying REST API surface used by them. Note that API is documented: http://developer.centrify.com

Agents and Installable Clients

There are a number of clients and agents which are in scope and can be downloaded from within the product, these are:

  • Centrify Agent for Linux - Enables application to application password management

  • Centrify Agent for Windows - Enables Cloud integrated Multi-Factor Authentication for Windows sign in

  • Centrify Cloud Connector - Enables connectivity to Active Directory, Application Gateway (reverse web proxy), remote SSH/RDP access, etc

  • Local Client Launcher - Enables launching SSH/RDP sessions from browser through native applications like Putty

Corporate Web Presence

The corporate web presence of Centrify is the second target of this program. In scope for this program is:

  • www.centrify.com

No other *.centrify.com or related hosts, subdomains or sites are in scope.

Registering for an account

  • Visit https://www.centrify.com/signup/
  • Use an @bugcrowdninja.com email address here
  • Use "bugcrowd" for First Name, Last Name and Company Name fields
  • You will get an email back from this form and must click the validation link.
  • This account will only give you basic permissions. You should not be able to access protected functions/content of the Customer Support Portal and the Partner Portal.

Posting Forms

  • Use an @bugcrowdninja.com email address
  • Use "bugcrowd" for First Name, Last Name and Company Name fields
  • Don't expect the forms to actually email you. We are preventing *@bugcrowdninja.com from entering the normal lead flow.

Also, when using automated tools that post to forms:

  • Please identify yourself in your testing and be ready to shut down the tool if notified.
  • Please be aware of what email address will be attempted. If the tool will attempt to use valid looking email addresses please consult the SPAM blacklist

Current SPAM blacklist on email address field:

  • acunetix_wvs_security_test
  • @bugcrowdninja.com
  • @email.tst
  • @example.com
  • @tinfoil-fake-site.com
  • @xample.com

This SPAM list has proven effective so far against Acunetix and NetSparker and others. But, we will happily add a few specific email addresses or domains to accommodate your tool if you give us advance warning.

In short, be sure that if you test forms with automation, that you follow the above.

Focus Areas

  • Site vulnerabilities exploitable in current browsers
  • User authentication
  • Privilege escalation at centrify.force.com/support, centrify.force.com/partners - use of this domain for testing for escalation only please
  • Privilege escalation at partners.centrify.com - use of this domain for testing for escalation only please

Out of Scope and Exclusions

Generally Out of Scope

  • Mobile apps and browser extensions associated with Centrify services are currently out of scope for this bounty.

  • Please note that the Privilege service targets are heavily dependent on a SQL language abstraction for access to and visibility of data. This is an abstraction only, which does not allow for any write or update. The schema for this abstracted database is available intentionally and is visible in the product for reporting and interaction by end users. Row level access control is used to ensure visibility at read time. We consider SQLi reports which expose the schema or read-only interaction with our interface as out of scope. That said, if you discover injections which allows for changing/updating data we’d love to know!

  • Any hosts or other external services not explicitly listed in the targets above (i.e. target applications outside the centrify cloud service itself, email hosts/clients). When testing remote access features like SSH/RDP, please target connections at only those resources you own/control.

  • In some circumstances, customer/tenant configuration can be changed to provide a lower security threshold (i.e. no account lockout, no second factor, etc) - we consider deliberate configuration change followed by attack on that change out of scope.

  • Disclosure of information that is public or does not present significant risk

  • Vulnerabilities that we determine to be an acceptable risk

  • Flaws affecting the users of out-of-date browsers and plugins. Typically will not reward any problems that affect only the users of outdated or un-patched browsers. In particular, we exclude Internet Explorer prior to version 9, Flash, signed Java Applets, etc.

  • Defacing of any site or resource. Report if you think you can do it and how, but don't actually do it

General Exclusions

The following finding types are specifically excluded from the bounty:

  • Exposition of Customer ID/Tenant ID - these are not 'secret'
  • Username / email enumeration via Login experience
  • D/DOS at the network level - though application/functional DOS through crafted arguments should be reported but not continually exploited.

Rewards

Bonus Announcement - Centrify is excited to announce release 19.5. The first accepted submission against version 19.5 will be awarded a $100 bonus. Please be sure to specify within your report that the submission is for 19.5.

Category | Privilege Service or Inter-Tenant | Intra-Tenant | Corporate Websites
---|---|---|---
P1 | $3,000 | $1,500 | $1,500
P2 | $1,800 | $900 | $900
P3 | $500 | $300 | $300
P4 | $200 | $100 | $100

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
api

Centrify Service API

other

Centrify Agent for Windows

other

Centrify Cloud Connector

other

Local Client Launcher

web_application

pod23.centrify.com

web_application

pod12.centrify.com

web_application

https://www.centrify.com

web_application

Centrify Privilege Service Portal

Out of Scope

Scope Type Scope Name
android_application

Centrify Android App

ios_application

Centrify iOS App

other

Centrify Browser Extension


This program leverage 11 scopes, in 3 scopes categories.

FireBounty © 2015-2019

Legal notices