Bug Bounty Program
Bug bounty programs provide another vehicle for organizations to discover vulnerabilities in their systems by tapping into a large network of global security researchers that are incentivized to responsibly disclose security bugs via a reward system. Operationally, the end results are very similar to a vendor-performed penetration test, but the number of researchers searching for bugs is much higher and not timeboxed, unlike a typical penetration test exercise. Researchers can apply to join our program via Bugcrowd or submit discovered bugs via our responsible disclosure form.
What’s the primary purpose of this initiative?
Similar to our scheduled penetration tests, the bug bounty program helps OneLogin identify potential security vulnerabilities in our app, including those in the OWASP Top 10 and the SANS Top 25.
What’s the scope?
All OneLogin properties, including the core SaaS service, browser extensions, and www sites.
How often are you evaluated/audited?
Who performs the evaluation/audit?
Who is the primary audience?
OneLogin - internal use only
Where can I get a copy of the report/certificate?
Results of bug bounty programs are not shared with anyone outside of OneLogin.