Ivanti Bug Bounty Program

Welcome to Ivanti's Bug Bounty Program! We appreciate your interest in helping us keep our customers and business safe.

This page represents Ivanti Bug Bounty Program Policy or further referred to as just Policy. Its purpose is to provide clear guidelines to security researchers on how to responsibly report vulnerabilities found in our products. Ivanti Bug Bounty Program Policy is accompanied by each individual product's Scope Policy.

We recognize the effort needed to find and disclose security issues so we have prepared a reward system for all submissions that will be reported according to guidelines in this program.

We look forward to working with the security community to find vulnerabilities in our products.

Program Rules

Your participation in the Ivanti Bug Bounty Program is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a product vulnerability to Ivanti, you acknowledge that you have read and agreed to rules explained in this Policy.

Eligibility to Participate

To participate in Ivanti Bug Bounty Program, you must not:

• be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions;
• be in violation of any national, state, or local law or regulation;
• be employed by Ivanti, its subsidiaries or affiliates, or be a vendor or contractor working on behalf of Ivanti;
• be an immediate family member of a person employed by Ivanti, its subsidiaries or affiliates;
• be less than 18 years of age.

Ivanti Bug Bounty Program is currently run as a private bug bounty program. This means that only invited security researchers will be able to participate in the program and submit reports to us.

If you want to report a vulnerability in an Ivanti product, but you do not have access to Ivanti Bug Bounty Program, please send an email with vulnerability details to [email protected]. We will review the submitted information and, if applicable, directly invite you to the program where you will be able to create a full submission report and get appropriate bounty through HackerOne platform. Do not send direct requests to be included in the program to this email as those will be ignored.

Program Scope

The Ivanti Bug Bounty Program on HackerOne is focused solely on security issues in Ivanti products and solutions, including products and solutions of any company acquired by Ivanti (such as Pulse Secure and MobileIron) all together named under the same umbrella term of Ivanti products.

A product can be onboarded on HackerOne platform or not. When a product is onboarded on the HackerOne platform that means a dedicated environment is created where security researchers can search for vulnerabilities. Only security researchers invited to the program have access to these environments.

The following products are currently onboarded on HackerOne platform:

• Ivanti Neurons for MDM
• MobileIron Core: on-premises version
• MobileIron Sentry: on-premises version
• PulseSecure: Zero-Trust Access (ZTA)
• PulseSecure: Pulse Connect Secure (PCS)

In addition to this general Ivanti Bug Bounty Program policy, each onboarded product has an individual Scope Policy. Individual product Scope Policies are available only to security researchers invited to the program. Make sure to read and completely understand the detailed Scope Policies for each individual product before attempting to find vulnerabilities in them.

We are actively working on onboarding more products into this program so stay tuned for new bounty opportunities!

In addition to the above list of actively supported products, this program will help you to responsibly disclose discovered vulnerabilities in any Ivanti product.

If you are reporting a vulnerability on a product not onboarded on HackerOne platform, then:

• decision if a vulnerability type is in scope or out of scope for a given product will be done on a case-by-case basis solely on Ivanti's discretion, you can use this Policy and individual Scope Policies of onboarded products as guidelines for what not to report;
• only in case of a confirmed vulnerability reported in line with our reporting guidelines will we consider giving out rewards, however, final decision on if and what kind of reward will be given will be solely on Ivanti's discretion and decided on a case-by-case basis.

To report a vulnerability in an Ivanti product please reach out to us on [email protected].

All non-product issues, such as issues regarding Ivanti infrastructure, should be reported following guidelines in Ivanti's Responsible Disclosure Policy.

Rules of Engagement

While searching for vulnerabilities in our products you must follow rules of engagement explained in this section. Failure to do so may result in being excluded from our bug bounty program.

Abide by the program rules.

Researchers may not publicly or privately disclose any details whatsoever about reported vulnerabilities with a third party other than authorized Ivanti or HackerOne employees, without Ivanti express written permission. For more information refer to the "Disclosure Policy" section.

Do not attempt to pivot in any way, elevate privileges or explore a system beyond the minimum necessary to prove vulnerabilities existence and impact. Do not use a vulnerability to compromise and exfiltrate data. Use a proof of concept only to demonstrate an issue.

Only interact with accounts and instances that you are authorized to use. Respect privacy of other users by making a good faith effort to avoid privacy violations.

Researchers are not authorized to engage in any activity that would be disruptive, damaging, or harmful to Ivanti, its brands or its users. This includes, but is not limited, to social engineering (phishing, vishing, smishing, etc.), physical and denial of service attacks against users, employees, or Ivanti as a whole.

Do not interact with any physical location related to Ivanti included, but not limited, to offices, data centers or employees' locations.

Out of Scope Vulnerabilities

You can find in this section a list of general vulnerabilities that are considered out of scope for all products. Please refer to each product's individual Scope Policy for additional product-oriented description of the scope.

Out of scope vulnerabilities for all Ivanti products are:

1. any type of rate limiting, DoS or DDoS vulnerabilities;
2. any vulnerability that is only demonstrated as a lack of security best practice without actual security impact such as but not limited to:
   1. weakly configured SSL/TLS service;
   2. missing or weakly configured security headers such as, but not limited, to:
      1. Content Security Policy;
      2. Strict-Transport-Security;
      3. X-Frame-Options;
      4. X-Content-Type-Options;
      5. X-XSS-Protection;
      6. Referrer-Policy;
   3. missing HTTP cookie flags such as HttpOnly, Secure and SameSite;
   4. supporting HTTP methods such as TRACE;
   5. host header injection;
   6. weak password policy;
   7. missing or weakly configured email authentication methods and protocols such as SPF, DKIM and DMARC;
   8. missing certificate pinning;
   9. missing autocomplete directive on HTML forms;
3. information disclosure such as, but not limited, to:
   1. software name and version disclosure;
   2. descriptive error messages;
   3. stack traces;
   4. known public files or directories;
4. user enumeration;
5. CSRF on unauthenticated actions or actions with minimal impact such as login and logout functionalities etc.;
6. vulnerabilities that require hard prerequisites such as, but not limited, to:
   1. Man-in-the-Middle access;
   2. physical access;
   3. rooted devices;
   4. outdated operating systems;
7. vulnerabilities that require unlikely user interaction such as, but not limited, to:
   1. Self-XSS;
   2. clickjacking;
   3. tabnabbing;
   4. disabling security controls;
   5. content spoofing and text injections;
8. CSV and Excel injections without demonstrating security impact;
9. open redirect unless additional security impact can be demonstrated, such as loss of sensitive data;
10. unrestricted file uploads with only resource consumption impact;
11. vulnerabilities on third-party software such as frameworks, plugins, or libraries unless security impact can be demonstrated;
12. vulnerabilities that have had an official patch for more than 2 months will be awarded on a case-by-case basis;
13. vulnerabilities only affecting users of outdated and unpatched client software, such as browsers (more than two stable versions behind the latest released stable version), spreadsheet viewers, deprecated technologies (such as Flash) etc. will be awarded on a case-by-case basis;
14. if a product is hosted in cloud environment (AWS, Azure, GCP etc.), then any vulnerability found in cloud environment infrastructure is out of scope;
15. unless specifically stated in the product Scope Policy, any vulnerability found in client and desktop applications are by default considered out of scope;
16. any vulnerability related to environment where a product is hosted:
    1. vulnerabilities on hosts such as, but not limited, to:
       1. out of date software;
       2. restricted shell escapes;
       3. open ports;
       4. unnecessary exposed services;
    2. vulnerabilities on network devices;

Vulnerabilities not listed out of scope in this Policy or in product specific Scope Policy can be considered as in scope.

If a vulnerability that is out of scope can be chained with an in-scope vulnerability, please mention this in the submission report as it may help you demonstrate higher impact and earn you a better reward.

Reporting Guidelines

For all submissions, please include:

1. detailed technical description of the vulnerability being reported;
2. reproducing focused step-by-step explanation of vulnerability's discovery and exploitation where applicable, and each step must contain appropriate evidence, such as:
   1. screenshots and/or videos;
   2. exploit code such as CLI commands, snippets of code or full working PoC exploit scripts;
   3. network traffic such as logs, HTTP requests and responses, packet dumps etc.;
   4. activity identification information such as:
      1. test account information, such as email and usernames / user IDs;
      2. IP information, such as source IP addresses from where attacks were sent or destination IP addresses for any achieved callbacks;
      3. timestamps including time zones;
      4. filenames and their hashes;
      5. any other custom identification, such as custom HTTP header names and values;
3. clear demonstration of security boundary breach such as:
   1. any and all data that was accessed;
   2. capabilities achieved;
4. your evaluation of vulnerability's ease of exploitation and impact;
5. recommendation on how to fix the vulnerability, which includes generic advise for a vulnerability as well as specific advice for the reported instances of vulnerability and associated technologies that Ivanti uses;

A direct scanner output or scanner generated reports, as well as outputs of exploitation tools, without following the above reporting guidelines will not be accepted as valid submissions. If your tool detects a vulnerability, please confirm it manually and provide evidence using those manual steps. Scanner and tool output can then be added to report as accompanying evidence, but they will not be accepted as standalone evidence.

Please report only one vulnerability per submission unless there is a need to chain vulnerabilities to demonstrate security impact.

Quality of your submission will directly impact the speed of the triage as well as correctness of reward decision. Failure to follow the reporting guidelines could result in Ivanti not recognizing the existence of vulnerability or its impact and you missing on your bounty.

Response Targets

As it takes an effort to find a vulnerability, it also takes an effort to triage and remediate the vulnerability. We will make our best effort to meet the following response times:

Depending on the severity of the vulnerability, response times could be shorter.

Throughout the triage and remediation, we will keep in contact with you providing status feedback.

Bug Bounties

Through the Ivanti Bug Bounty Program, you can earn bounties as a reward for your effort spent on making our products and customers more secure. The default bounty is a monetary reward, but it may also be in the form of swag or reputation points.

Monetary Rewards

You must be a member of HackerOne platform for monetary rewards. Our rewards are based on severity per Common Vulnerability Scoring System (CVSS) v3.1. You are encourage to provide your estimation of CVSS score in the initial report, however, final CVSS score which will determine the monetary reward will be up to Ivanti's sole discretion.

Please note these are general guidelines. Final reward decisions are also up to the Ivanti's sole discretion and may be higher or lower than the above amounts depending on the specific product and demonstrated impact.

You are responsible for any tax implications of a reward from the Ivanti Bug Bounty Program depending on your country of residency and citizenship.

Eligibility for Rewards

We are grateful to everyone who submits reports to help us improve the security of Ivanti products. However, a monetary reward will be received only by those security researchers that meet the following eligibility requirements:

1. the security researcher followed all program rules during his participation;
2. the submission report is written according to report guidelines;
3. the vulnerability must be associated with an onboarded product;
4. the vulnerability is determined to be a valid security issue by Ivanti's security team;
5. the vulnerability is present on the product's latest release;
6. the security researcher is the first reporter of the vulnerability; and,
7. the security researcher is not receiving compensation for the vulnerability discovery through employment for another company or organization;

If any of the above criteria is not satisfied, you may not receive any rewards for your submissions.

After the vulnerability triage, we may decide to postpone a fix by adding the issue to our developer's backlog. In this case, we may give out immediately the bounty for the report and close the submission in HackerOne. Subsequent duplicate reports will be linked to the original closed HackerOne submission. Once the vulnerability is fixed, we will follow up on the original report with a notification on the resolution.

If upon review of a report we do not find the reported vulnerability to have high enough impact or it has a low enough probability of exploitation, we may choose not to fix the vulnerability. In this case, the report will not be eligible for a bounty and will be closed.

Bounties will be awarded only for vulnerabilities present in the latest release of the product as of time of the report submission. We will make our best effort to update all products that are hosted by Ivanti for HackerOne security researchers to interact with the latest version. When you search for vulnerabilities, please check if the version of the product is on the latest release. If it is not, please notify us and we will make sure to update it as soon as possible.

Duplicate Submissions

It may happen that another security researcher submitted a vulnerability report before you. If this occurs, we do not reward duplicate submissions. Similarly, multiple vulnerabilities that are caused by one underlying issue will also be awarded only one bounty. In both cases, only the first submission report that was written in accordance with report guidelines will earn the bounty.

We thank you for your effort and hope that you will continue searching for vulnerabilities in our products and wish you better luck next time!

Disclosure Policy

No details from this program should be disclosed publicly or privately without express written consent from Ivanti. This includes, but is not necessarily limited, to:

• any details from individual product Scope Policies;
• contents of any submission and details about security issues and vulnerabilities regardless of their status (open, resolved, duplicate etc.);
• your communication with Ivanti related to the program, such as discussions about the scope, individual submissions, rewards etc.;
• knowledge and information about the products gained through participation in the program.

In addition to guidelines stated in this program, HackerOne's disclosure guidelines should be followed.

Security Advisories and CVEs

The purpose of Security Advisories and CVEs is to communicate to our customers any product vulnerabilities, the severity, and mitigation steps. Decision to publish a Security Advisory or to request a CVE will be done solely on Ivanti's discretion on a case-by-case basis. This decision will be done not only based on the reported vulnerability's severity, but also on customer specific information available only internally to Ivanti.

Changes to Program

The Ivanti Bug Bounty Program policy, including individual product Scope Policies, are subject to change or cancellation by Ivanti at any time, without notice. As such, Ivanti may amend its policies at any time by posting a revised version. By continuing to participate in the Ivanti Bug Bounty Program after any such changes, you accept the policies, as modified.

Disqualification

Ivanti reserves the right to disqualify you from participating in the Ivanti Bug Bounty Program if you violate any rule specified in this program Policy.

Safe Harbor

Security researchers who make a good faith effort to comply with this posted disclosure policy will be considered authorized Ivanti testers. Ivanti will make an equally good faith effort to work with security researchers who report issues under this program. If legal action is initiated by a third-party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Ivanti reserves the right to seek legal action against individuals who do not work within this policy and break ToS, EULAs, or local laws and regulations. Ivanti does not recognize other responsible disclosure policies, timelines, programs, or frameworks that are not covered by this policy. Individuals who report potential issues under multiple programs without first receiving clearance from Ivanti will not be considered to be operating under this policy.