|Scope Type||Scope Name|
|android_application||Okta Mobile MDM (Android)|
|android_application||Okta Verify (Android)|
|ios_application||Okta Mobile MDM (iOS)|
|ios_application||Okta Verify (iOS)|
|other||Okta Browser Plugin (IE / Firefox / Chrome)|
We believe community researcher participation and building a secure foundation plays an integral role in protecting our customers and their data. We appreciate all security submissions and strive to respond in an expedient manner.
Okta is a cloud-based identity service that connects people to their applications from any device, anywhere, anytime. The Okta Identity Cloud provides directory services, single sign-on, strong authentication, provisioning, mobile device management and API access management. It comes with built-in reporting, and integrates deeply with cloud, mobile and on- premises applications, directories and identity management systems.
Target name | Type
bugcrowd-%username%-1.oktapreview.com | Other
bugcrowd-%username%-2.oktapreview.com | Other
Okta Mobile MDM (iOS) | iOS
Okta Mobile MDM (Android) | Android
Okta Browser Plugin (IE / Firefox / Chrome) | Other
Okta Verify (iOS) | iOS
Okta Verify (Android) | Android
< please note that if you previously had an Okta account via the private program, your old account will still work (and consequently, you may not get an email for a new account). As such, you can simply use your old/existing subdomain/credentials/etc - please check your mail history for this information before messaging email@example.com>
LDAP as a Service
Authentication Protocol Vulnerabilities (e.g. SAML, OAuth & OIDC,Social Auth )
XXE within the massive amount of XML data we accept
Okta Browser Plugin (IE / Firefox / Chrome)
Cross-Org Access / Multi-Tenancy Vulnerabilities
Privileged (Horizontal / Vertical) Escalation
All on-premise Agents (e.g. LDAP / AD / OPP / Radius / RSA)
Okta Mobile (iOS / Android)
Okta Verify (iOS / Android)
XSS and other Top 10 Issue such as Open Redirection and CSRF on sensitive page actions
EXAMPLE Vulnerability Type | EXAMPLE Reward
Full RCE [Obtain a shell back from our network] | $15k
Full Privilege Escalation from one Okta Org to another Okta Org | $10k
Full Privilege Escalation within the same Okta Org | $5k
XXE Local file read [Read and Exfiltrate data OOB] | $5k
Working SQL Injection | $5k
OKTA SAML or oAuth implementation bugs | $5k
Browser Plugin Compromise | $1.5k
Working XSS (Affecting multiple users) | $1k
Mobile App Critical Vulnerability | $1k
Admin Cross-Site Request Forgery (CSRF) | $1K
Full Server-Side Request Forgery (SSRF) | $1K
User Cross-Site Request Forgery (CSRF) | $500
Open Redirection | $500
Critical Information Disclosure | $500
XSS affecting only the current user (Self-XSS) | $100
Blind Server-Side Request Forgery (SSRF) | $100
Forced Browsing / Insecure Direct Object References / URL Jumping | $100
Business Logic issue (write / manipulate) | $100
Other Security Issues | $100
The above outlines the guidelines for rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope): Keep in mind that no two bugs are created equal. These payouts define general guidelines and level of importance of each vulnerability class. The Okta Security team will determine the nature and impact of the bugs to identify the appropriate payouts around these guidelines.
Note: Anything not explicitly defined In-Scope is by default Out-of-Scope
Okta Public API References
Okta Configuration & Support Site
LDAP Agent Installation
LDAP as a Service
Desktop SSO / IWA
OAuth & OIDC
Please check currentRelease Notes to see what's new. New code is released weekly.
Chaining of bugs is not frowned upon in any way, we love to see clever exploit chains! However, if you have managed to compromise an Okta owned server we do not allow for escalations such as port scanning internal networks, privilege escalation attempts, attempting to pivot to other systems, etc. If you get access this level of access to a server please report it us and we will reward you with an appropriate bounty taking into full consideration the severity of what could be done. Chaining a CSRF vulnerability with a self XSS? Nice! Using AWS access key to dump sensitive info? Not cool.
We base all payouts on impact - when in doubt the question always comes down to impact (aka what can actually be done with the vulnerability and what is the consequence to Okta). If you can demonstrate why a finding has significant impact then please submit.
As an example: Let's say you can, as a limited admin, see logs that are not in your user role - What is the impact? If this allows you to compromise something else then please detail the full exploit chain and report. However if the only impact is reading logs.. then there is no need to report it as it would fall under - Business Logic READ issues.
Bugs of similar nature or root cause reported by the same person may be combined into one item, thus constituting only a single award.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
In addition to the above standard disclosure terms, by participating in this program, you're agreeing to abide by the Okta rules defined by the program here.
This bounty requires explicit permission to disclose the results of a submission.