This guest blog is authored by Matias Brutti, Director of Research and Exploitation at Okta, and originally appeared on the Okta Security Blog.
Protecting our customers, partners, and other stakeholders has always been the Okta Security Team’s top priority. We have invested heavily in our security infrastructure in support of this mission, building a top-of-class internal application, and instituting both offensive and defensive security teams.
But with every endeavor, it’s best to draw knowledge from a variety of sources. We launched our bug bounty programs almost five years ago, and have since benefited greatly from the wisdom and experience of the greater infosec community.
Community researchers play an integral role in ensuring we maintain the highest levels of security, and we want to make it as easy as possible to leverage the talent that this community has to offer.
Vulnerability Disclosure at Okta: Everything You Need to Know
To that end, I’m excited to announce we have a new Vulnerability Disclosure Policy (VDP), which draws on our lessons learned from past years.
We created this policy with the intent of standardizing our interactions with researchers and establishing clear expectations and guidelines with our community. It contains information on the scope, compensation details, legal considerations, and other details on what to expect when working with us to help improve our service.
The short version
You can review the full VDP document here, and our supplemental terms here. But below are a few high-level callouts to be aware of:
The basics
If you would like to publish your findings, the coordinated disclosure terms outlined in the document apply. Submit the report directly to us at disclosure@okta.com via PGP, or other secure communication (like keybase or Signal) which we can provide after a proper email introduction.
On the other hand, if you would like to be rewarded for your submission, submit via Bugcrowd instead of emailing us. The standard disclosure terms apply.
Program scope
In-scope and out-of-scope targets are described in our Bugcrowd program terms. The same scope applies whether you are submitting a finding under standard disclosure terms through Bugcrowd, or the coordinated disclosure terms outlined in our policy.
Reporting guidelines
When researching and reporting a vulnerability, we ask that you adhere to some standard best practices. These include respecting our current application, respecting the data and content of our users and customers, acting in good faith to avoid privacy violations and the interruption or degradation of our services, submitting reports as quickly as possible, and giving us due time to process and respond to your submission.
Clarity and formatting
We ask that you write clear and concise reports to enable us to make a determination. Make sure to include your methodology, step-by-step instructions, and only submit after you verify your bug. We have included a recommended reporting template within the VDP to help provide guidance as to what we are looking for.
Let’s get started
Now, let’s see what you’ve got! We appreciate all security submissions from the research community and will address them as quickly as possible. Thank you for helping us make Okta the best it can be.