Okta
- $100 – $75,000 per vulnerability
ENDED - Reward bonuses for RCE, MFA Bypass, & XSS!
The reward bonus event has ended
Hello Researchers!
We are pleased to announce Okta is now offering bonuses starting as of July 24th, 2023 and will end on July 31st, 2023 at 11:59PM PST!
Below are the bonus details:
Category | Previous Reward | New Reward |
---|---|---|
Full RCE (Obtain a shell back from our network) | Up to 75k with multiplier | Up to 100k* |
Full MFA Bypass** | Up to 15k*** | Up to 20k*** |
Working XSS (bypassing XSS validation****) | Up to 2k | add'l $2,500 |
For example, if you submit a valid XSS that bypasses validation, we may pay $2,000 with a 2x multiplier and we will pay $2,500 on top of that for a total of $6,500.
( * ) No multiplier will be applied
( ** ) Refer to the section Full MFA Bypass. Requiring compromised credentials, bruteforcing, and locking out the account will reduce severity and impact. The Okta org sign on policy must require MFA and the Enduser & Admin dashboard must require MFA. No social engineering or phishing. No theoretical attacks.
( *** ) Multiplier will be applied to this amount
( **** ) Fields displaying the error message “The field must not contain HTML tags” utilize the XSS validation
Eligible reports will be awarded based on severity, to be determined by Okta in its sole discretion. Okta will decide the final severity of the submission.
Happy Hacking and we'll be looking forward to your submissions! Cheers!
edit: July 25th, 2023 @ 4:50PM removed wording regarding CSP bypass and clarification of XSS validation
edit: August 1st, 9:02AM - bonus event ended