Bug Bounty Program

Bug Bounty Program

Bug bounty programs provide recognition and compensation to security researchers who responsibly disclose potential security bugs in an application or system. Operationally, the end results are very similar to a vendor-performed penetration test, but typically the number of researchers searching for bugs over a given time period is much higher. OneLogin currently has a Security Hall of Fame that has been providing recognition to security researchers for years, but now we have a private bug bounty program as the next step in order to be able to provide compensation to researchers for their efforts.

What’s the primary purpose of this initiative?

Similar to our scheduled penetration tests, the bug bounty program helps OneLogin identify potential security vulnerabilities in our app, including those in the OWASP Top 10 and the SANS Top 25.

What’s the scope?

The core app is the focal point of the program and additional services, including mobile apps and browser extensions, will be added on a rotational basis.

How often are you evaluated/audited?

Ongoing program.

Who performs the evaluation/audit?


Who is the primary audience?

OneLogin - internal use only

Where can I get a copy of the report/certificate?

Results of penetration tests are not shared with anyone outside of OneLogin.

Are you a Security Researcher?

We are always looking for talented individuals with security experience.

See Career Opportunities