Ping Identity looks forward to working with the security community to find and solve vulnerabilities.

Thank you for helping us keep our customers safe.

Getting Access

For our docker images:

Please clone this repo and follow the steps in the README. Please use the following credentials for this program:

```

PING_IDENTITY_DEVOPS_USER=bug-bounty1@pingidentity.com

PING_IDENTITY_DEVOPS_KEY=ed56408c-8d96-6aed-107c-3deb0214e928

```

You may open an issue in the github repo if you run into trouble.

For our SaaS offerings:

Please fill out the form to receive test credentials for our console-staging.pingone.com environments.

NOTE:

As per the program scope, neither *.pingidentity.* or *.symphonicsoft.* URLs, nor any other domains or sub-domains registered to Ping Identity that aren't included in our program scope, will be eligible for bounties. Please see in-scope endpoints below.

Out of scope reports that are determined to be legitimate vulnerabilities will be remediated, and while they will not be eligible for monetary awards, we will do our best to award as many reputation points as possible to the reporter and publicly disclose actionable reports upon request.

If you are a Ping customer, please consider submitting a support ticket here.

Response times

Ping Identity strives to respond to reports as follows:

• First response - 5 business days from submission

• Triage - 10 business days from submission

• Bounty payout - 10 business days from triage

We do our best to keep researchers informed throughout the process.

Disclosure Policy

Follow HackerOne's disclosure guidelines.

Program Rules

• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue is not eligible for a reward.

• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first eligible report that we receive.

• When multiple vulnerabilities are caused by one underlying issue, we award a single bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or have explicit permission to interact with.

Common vulnerabilities to look for across all endpoints:

• Information disclosure (cluster health, internal hostnames, passwords)

• Exploitable TLS vulnerabilities or misconfiguration

• Components with exploitable security vulnerabilities

• Unauthorized or elevated persistent store access

• Sensitive AWS metadata exposure

• Cross-tenant administrative access or information disclosure

• REST API vulnerabilities

• OWASP Top 10 vulnerabilities

• CWE-SANS Top 25 Dangerous Bugs

The following issues are well known and ineligible for bounties:

• Session mismanagement on change or forget password

  • Report #643731

  • Report #659957

• Publicly exposed Google Maps API key

  • Report #724039

• Publicly exposed New Relic monitoring access token

• Publicly exposed Coveo search access token

• Missing SPF Records

The following issues are considered out of scope:

• Ping Identity corporate systems, and neither websites *.pingidentity.* or *.symphonicsoft.*, nor any other domains or sub-domains registered to Ping Identity that are not included in our program scope

• All example code and public repository code at https://github.com/pingidentity or anywhere else on Github, apart from the Docker images in https://github.com/pingidentity/bug-bounty-server-profiles

• All public Docker images at https://hub.docker.com/u/pingidentity that are not part of the repo for bug bounties (https://github.com/pingidentity/bug-bounty-server-profiles)

• All on-premises Ping Identity downloadable products that are not provided in our docker images

• Other Ping Identity customer-downloadable products or components, such as SDKs, including PingID SDK

• Any customizations, Ping Identity adapters, or integration kits

• Issues without clearly identified security impact or with only speculative theoretical exploitability

• Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure, etc.), without a clear and working Proof of Concept

• Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service, etc.)

• Self Cross-Site Scripting vulnerabilities without evidence of how the vulnerability can be used to attack another user

• Previously known CVEs in third-party services (i.e. Google Tag Manager, New Relic, Coveo, Pendo, etc.), dependencies and open-source libraries (without a clear and working Proof of Concept)

• Missing best practices in SSL/TLS configuration

• Any activity that could lead to the disruption of our service (DoS), the brute forcing of credentials, or the cracking of licenses

• Attacks requiring MitM or physical access to a user's device

• Subdomains lacking proper SPF records

• Clickjacking on pages with no sensitive actions

• Unauthenticated/logout/login CSRF

• Comma Separated Values (CSV) injection without demonstrating a vulnerability

• Content-spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS

• Social engineering of Ping Identity employees or contractors

• Any physical/wireless attempt against Ping Identity property