Bug Bounty Program
Bug bounty programs provide recognition and compensation to security researchers who responsibly disclose potential security bugs in an application or system. Operationally, the end results are very similar to a vendor-performed penetration test, but typically the number of researchers searching for bugs over a given time period is much higher. OneLogin currently has a Security Hall of Fame that has been providing recognition to security researchers for years, but now we have a private bug bounty program as the next step in order to be able to provide compensation to researchers for their efforts.
What’s the primary purpose of this initiative?
Similar to our scheduled penetration tests, the bug bounty program helps OneLogin identify potential security vulnerabilities in our app, including those in the OWASP Top 10 and the SANS Top 25.
What’s the scope?
The core app is the focal point of the program and additional services, including mobile apps and browser extensions, will be added on a rotational basis.
How often are you evaluated/audited?
Who performs the evaluation/audit?
Who is the primary audience?
OneLogin - internal use only
Where can I get a copy of the report/certificate?
Results of penetration tests are not shared with anyone outside of OneLogin.