CrowdStrike encourages researchers to follow responsible disclosure procedures when reporting security issues in our products, services, websites, or infrastructure. CrowdStrike is committed to engaging with the research community in a positive, professional, mutually beneficial manner that protects our customers.
Program Rules & Eligibility
* To qualify for a reward under this program, you must
* Be the first to discover a specific, currently-existing vulnerability.
* Provide verifiable proof the vulnerability exists and submit a vulnerability report to us. Send screen shot and a clear text description of the report along with steps to reproduce the vulnerability. Include attachments such as proof of concept code as necessary.
* Treat the vulnerability report and any vulnerability as confidential information and not divulge to any third person (except disclosure to CrowdStrike through the HackerOne platform) any such information until disclosure is approved in writing by CrowdStrike.
* Public disclosure or disclosure to any third parties before such approval forfeits the reward.
* Demonstrate care in reproducing the vulnerability.
* CrowdStrike employees are ineligible for this program.
* The CrowdStrike Security Rewards program recognizes the contributions of security researchers who invest their time and effort in helping us make CrowdStrike more secure. Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the CrowdStrike Security Team.
* The reward level is based on the vulnerability impact and increases for higher quality reports that include reproduction code, test cases, and patches. rewards are not additive and are subject to change as we see fit. CrowdStrike will determine the impact for a given security vulnerability based on existing and compensating controls. Prior bounty amounts awarded are not precedent for future payments. Our programs scope and policy is subject to change at any time and individuals are encouraged to refer to this policy often.
* Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Crowdstrike.
| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |
| $3,000 | $1,000 | $500 | $250 |
Scope of program
* The scope of our program focuses on exploiting specific externally facing infrastructure owned by CrowdStrike. This program covers security vulnerabilities discovered within the CrowdStrike public infrastructure including websites and DNS configurations.
* The only systems in scope with this program are listed in the asset section below.
* CrowdStrike reserves the right to select a report as a duplicate submission, and specifically which report is a duplicate. This is not based solely on time of submission but also completeness of the submission, attentiveness in steps to verify, and proposed mitigation. CrowdStrike reserves the right to close any submission as a duplicate if a better submission is received.
Out of Scope Vulnerabilities and Exclusions
* Social engineering attempts on CrowdStrike personnel or our customers including e-mail phishing attacks and pre-text phone calls.
* Physical attacks against CrowdStrike property and infrastructure, not limited to offices or Data Centers.
* Vulnerabilities in a vendor we integrate with.
* Use of automated tools that could generate significant traffic and possibly impair the functionality of products, including denial of service attacks.
* Vulnerabilities in obsolete or end of life versions of our products.
* Missing additional security controls, such as HSTS or CSP headers.
* Login/Logout CSRF.
* Breaking of SSL/TLS trust (unless you can provide working PoC).
* Cookie's missing security flags (for non-sensitive cookies).
* Brute-force / Rate-limiting / Velocity throttling.
* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.
* Presence of autocomplete attribute on web forms.
* ClickJacking / TabNabbing attacks
* E-Mail spoofing.
* Web content in our robots.txt file.
* Banner Exposure / Version Disclosure.
* Additional missing security controls often considered “Best practice”, such as certificate pinning or mitigating information disclosures.
* CrowdStrike reserves the right to cancel or modify this program at any time. All engagements will be honored to the conditions in existence at the time of verification of the issue.
* In connection with your participation in this program you agree to comply with all applicable laws.
* Please refrain from accessing sensitive information in connection with the program. The vulnerability report and all vulnerabilities therein as well as any confidential data accessed pursuant to a vulnerability shall be CrowdStrike confidential information and you shall (i) protect that information using at least a reasonable degree of care, (ii) not use such information other than to provide such information to CrowdStrike in connection with the program, and (iii) not divulge to any third person any such information until disclosure is approved in writing by CrowdStrike.
* If you’re a minor, on a sanctions list, or live in a country that’s on a sanctions list, we cannot provide a reward.
* Citizenship and residency is likely to affect whether you owe taxes on any reward you receive, and you alone are responsible for paying any tax liability incurred through this program.
* Decision making is ultimately up to CrowdStrike's discretion.
Thank you for helping keep CrowdStrike and our users safe!
Hall of Fame