CrowdStrike encourages researchers to follow responsible disclosure procedures
when reporting security issues in our products, services, websites, or
infrastructure. CrowdStrike is committed to engaging with the research
community in a positive, professional, mutually beneficial manner that
protects our customers.
Program Rules & Eligibility
To qualify for a reward under this program, you must
- Be the first to discover a specific, currently-existing vulnerability.
- Provide verifiable proof the vulnerability exists and submit a vulnerability report to us. Send screen shot and a clear text description of the report along with steps to reproduce the vulnerability. Include attachments such as proof of concept code as necessary.
- Treat the vulnerability report and any vulnerability as confidential information and not divulge to any third person (except disclosure to CrowdStrike through the HackerOne platform) any such information until disclosure is approved in writing by CrowdStrike.
- Disclosure to any third parties before such approval forfeits the reward.
- Demonstrate care in reproducing the vulnerability.
- CrowdStrike employees are ineligible for this program.
The CrowdStrike Security Rewards program recognizes the contributions of security researchers who invest their time and effort in helping us make CrowdStrike more secure. Through this program we provide monetary rewards and recognition for vulnerabilities disclosed to the CrowdStrike Security Team.
The reward level is based on the vulnerability impact and increases for higher quality reports that include reproduction code, test cases, and patches. rewards are not additive and are subject to change as we see fit. CrowdStrike will determine the impact for a given security vulnerability based on existing and compensating controls. Prior bounty amounts awarded are not precedent for future payments. Our programs scope and policy is subject to change at any time and individuals are encouraged to refer to this policy often.
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Crowdstrike.
Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 -
$3,000 | $1,000 | $500 | $250
Scope of program
- The scope of our program focuses on exploiting specific externally facing infrastructure owned by CrowdStrike. This program covers security vulnerabilities discovered within the CrowdStrike public infrastructure including websites and DNS configurations.
- The only systems in scope with this program are listed in the asset section below.
CrowdStrike reserves the right to select a report as a duplicate submission,
and specifically which report is a duplicate. This is not based solely on time
of submission but also completeness of the submission, attentiveness in steps
to verify, and proposed mitigation. CrowdStrike reserves the right to close
any submission as a duplicate if a better submission is received.
Out of Scope Vulnerabilities and Exclusions
- Social engineering attempts on CrowdStrike personnel or our customers including e-mail phishing attacks and pre-text phone calls.
- Any other vulnerabilities that involve directly sending email to CrowdStrike email addresses.
- Physical attacks against CrowdStrike property and infrastructure, not limited to offices or Data Centers.
- Vulnerabilities in a vendor we integrate with.
- Use of automated tools that could generate significant traffic and possibly impair the functionality of products, including denial of service attacks.
- Vulnerabilities in obsolete or end of life versions of our products.
- Missing additional security controls, such as HSTS or CSP headers.
- Login/Logout CSRF.
- Breaking of SSL/TLS trust (unless you can provide working PoC).
- Cookie's missing security flags (for non-sensitive cookies).
- Brute-force / Rate-limiting / Velocity throttling.
- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.
- Presence of autocomplete attribute on web forms.
- ClickJacking / TabNabbing attacks
- E-Mail spoofing.
- Web content in our robots.txt file.
- Banner Exposure / Version Disclosure.
- Additional missing security controls often considered “Best practice”, such as certificate pinning or mitigating information disclosures.
- CrowdStrike reserves the right to cancel or modify this program at any time. All engagements will be honored to the conditions in existence at the time of verification of the issue.
- In connection with your participation in this program you agree to comply with all applicable laws.
- Please refrain from accessing sensitive information in connection with the program.
- Please avoid unauthorized access to another person's accounts or data, destruction of data, and interruption or degradation of our infrastructure and services. If you do encounter personally identifiable information, customer data or other sensitive information, contact us immediately, do not proceed with access, and do not retain any copies of such information.
- The vulnerability report and all vulnerabilities therein as well as any confidential data accessed pursuant to a vulnerability shall be CrowdStrike confidential information and you shall (i) protect that information using at least a reasonable degree of care, (ii) not use such information other than to provide such information to CrowdStrike in connection with the program, and (iii) not divulge to any third person any such information until disclosure is approved in writing by CrowdStrike.
- If you’re a minor, on a sanctions list, or live in a country that’s on a sanctions list, we cannot provide a reward.
- Citizenship and residency is likely to affect whether you owe taxes on any reward you receive, and you alone are responsible for paying any tax liability incurred through this program.
- Decision making is ultimately up to CrowdStrike's discretion.
Thank you for helping keep CrowdStrike and our users safe!