CrowdStrike encourages researchers to follow responsible disclosure procedures when reporting security issues in our products, services, websites, or infrastructure. CrowdStrike is committed to engaging with the research community in a positive, professional, mutually beneficial manner that protects our customers.

Program Rules & Eligibility

To qualify for a reward under this program, you must

• Be the first to discover a specific, currently-existing vulnerability.
• Provide verifiable proof the vulnerability exists and submit a vulnerability report to us. Send a screenshot and a clear text description of the report along with steps to reproduce the vulnerability. Include attachments such as proof of concept code as necessary.
• Treat the vulnerability report and any vulnerability as confidential information and not divulge to any third person (except disclosure to CrowdStrike through the HackerOne platform) any such information until disclosure is approved in writing by CrowdStrike.
• Disclosure to any third parties before such approval forfeits the reward.
• Demonstrate care in reproducing the vulnerability.
• CrowdStrike employees are ineligible for this program.

Rewards

• The CrowdStrike Security Rewards program recognizes the contributions of security researchers who invest their time and effort in helping us make CrowdStrike more secure. Through this program we provide monetary rewards and recognition for vulnerabilities disclosed to the CrowdStrike Security Team.

• The reward level is based on the vulnerability impact and increases for higher quality reports that include reproduction code, test cases, and patches. Rewards are not additive and are subject to change as we see fit. CrowdStrike will determine the impact for a given security vulnerability based on existing and compensating controls. Prior bounty amounts awarded are not precedent for future payments. Our program's scope and policy is subject to change at any time and individuals are encouraged to refer to this policy often.

• Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of CrowdStrike. While exceptional reports may qualify for higher bounties, there should be no expectation of a payout above the range baselines.

Scope of program

• The scope of our program focuses on exploiting specific externally facing infrastructure owned by CrowdStrike. This program covers security vulnerabilities discovered within the CrowdStrike public infrastructure including websites and DNS configurations.
• Opportunities to expand Falcon's detection capabilities (i.e. purported detection gaps) as well as enhance its resilience against administrator actions affecting sensor functionality are treated as valued improvement suggestions and not vulnerabilities. We encourage submitting such suggestions through our Support Portal for CrowdStrike customers or via HackerOne for independent researchers.
• Our goal is to provide a way to responsibly disclose security vulnerabilities in our assets, and so we welcome all security findings that are not explicitly listed as out of scope below. However, while we strive to reward any reports that result in a change on our end, reward eligibility for findings in targets that are not specifically in scope is established on a case by case basis.

Duplicate Reports

CrowdStrike reserves the right to select a report as a duplicate submission, and specifically which report is a duplicate. This is not based solely on time of submission but also completeness of the submission, attentiveness in steps to verify, and proposed mitigation. CrowdStrike reserves the right to close any submission as a duplicate if a better submission is received.

Vulnerability Chaining

• If multiple issues are reported and used in a vulnerability chain, one bounty may be issued based on the combined severity of the issues.
• If multiple vulnerability chains of similar class are reported reusing the same chained components, the reports may be considered duplicates.

Out of Scope Vulnerabilities and Exclusions

• Social engineering attempts on CrowdStrike personnel or our customers including e-mail phishing attacks and pre-text phone calls.
• Any other vulnerabilities that involve directly sending email to CrowdStrike email addresses.
• Physical attacks against CrowdStrike property and infrastructure, not limited to offices or Data Centers.
• Vulnerabilities in a vendor we integrate with.
• Use of automated tools that could generate significant traffic and possibly impair the functionality of products, including denial of service attacks.
• Vulnerabilities in obsolete or end of life versions of our products.
• Missing additional security controls, common HTTP headers (e.g. HSTS, CSP).
• Login/Logout CSRF.
• Breaking of SSL/TLS trust (unless you can provide working PoC).
• Cookie's missing security flags (for non-sensitive cookies).
• Brute-force / Rate-limiting / Velocity throttling.
• Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.
• Presence of autocomplete attribute on web forms.
• ClickJacking / TabNabbing attacks
• E-Mail spoofing.
• Web content in our robots.txt file.
• Banner Exposure / Version Disclosure.
• Additional missing security controls often considered “Best practice”, such as certificate pinning or mitigating information disclosures.

Legal

• CrowdStrike reserves the right to cancel or modify this program at any time. All engagements will be honored to the conditions in existence at the time of verification of the issue.
• In connection with your participation in this program you agree to comply with all applicable laws.
• Please refrain from accessing sensitive information in connection with the program.
• Please avoid unauthorized access to another person's accounts or data, destruction of data, and interruption or degradation of our infrastructure and services. If you do encounter personally identifiable information, customer data or other sensitive information, contact us immediately, do not proceed with access, and do not retain any copies of such information.
• This submission and all information therein as well as any confidential data accessed pursuant to it shall be CrowdStrike confidential information and you shall (i) protect that information using at least a reasonable degree of care, (ii) not use such information other than to provide such information to CrowdStrike in connection with the program, and (iii) not divulge to any third person any such information until disclosure is approved in writing by CrowdStrike.
• If you’re a minor, on a sanctions list, or live in a country that’s on a sanctions list, we cannot provide a reward.
• Citizenship and residency is likely to affect whether you owe taxes on any reward you receive, and you alone are responsible for paying any tax liability incurred through this program.
• Decision making is ultimately up to CrowdStrike's discretion.

Thank you for helping keep CrowdStrike and our users safe!