Armis Bug Bounty Program
Armis is highly committed to safeguarding customer information and maintaining a highly available solution in support of our customers. This includes welcoming security researchers to confirm our protection measures, and to privately and responsibly report where we may have noteworthy exposures. If a researcher’s submission is new and noteworthy, we may even offer a reward.
If you believe that you have identified a high to critical risk vulnerability associated with our SaaS offering, please read through the following content and if all criteria are met, proceed with submitting the vulnerability to Armis for review.
Each of the following rules must be followed without exception when participating in our bug bounty program:
- You will not run automated scanning tools.
- You will make no attempt to gain access to any accounts.
- You will make no attempt to gain access to non-public data.
- You will not violate other’s privacy.
- You will not destroy any data.
- You will not conduct DoS or DDoS attacks.
- You will not apply social engineering techniques (phishing, pretexting, etc.).
- You will not take actions that could negatively impact or disrupt our SaaS offering or operations in any capacity.
- You will not publicly disclose the finding until Armis has confirmed and fixed the vulnerability.
The Armis Bug Bounty Program specifically applies to our SaaS offering. We are specifically interested in high/critical risk vulnerabilities that could allow attackers to materially disrupt our service or compromise IAM controls or customer or proprietary data (e.g. source code).
Note that submissions for vulnerabilities that do not directly apply to our SaaS offering will not be considered for further action or payout. Additionally, submissions that are deemed to pose an insignificant or non-security-related risk as determined at Armis’ sole discretion will not be eligible for a reward.
Only the first researcher to submit a noteworthy vulnerability to Armis will be considered for a potential reward. No subsequent submissions for the same vulnerability will be considered.
Armis SaaS Offering
As noted, only submissions that directly relate to specific high/critical risk vulnerabilities will be considered for a potential reward. The following is a non-exhaustive list of examples of submissions considered to be out-of-scope in terms of being considered for a potential reward.
- Missing HTTP security headers
- Mail configuration issues including SPF, DKIM, DMARC settings
- Email spoofing
- Missing security headers that do not directly contribute to a high-risk vulnerability
- Outdated software that does not directly contribute to a notable vulnerability
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting/banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- Missing best practices (we require evidence of a security vulnerability)
- Any vulnerability discovered by a scanner without additional proof of validation
- Reports from automated tools or scans.
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
- Absence of rate-limiting
- Editable Github wikis
- Outdated software without any noteworthy vulnerability
- Content spoofing or HTML injection, unless accompanied by a proof of concept that demonstrates a security risk beyond injecting plain text
- Vulnerabilities only affecting older browsers
- Existence of access-controlled administrative pages
- Reports regarding password policies
- Vulnerabilities unrelated to our cloud offering (e.g. public website)
- Attacks requiring a “man in the middle” or physical access to a user’s device
- CSRF issues that do not lead to account theft
- DNS takeover susceptibility
- Ability for users to perform content scraping (video downloading/harvesting)
- High account lockout thresholds
- Attacks that only work against yourself (e.g. host header injection)
- Issues related to software or protocols not under Armis’ control
- API key / secret disclosure that is intentional / by design, and does not enable a vulnerability
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing HttpOnly or Secure flags on cookies
- Open redirect – unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
Any submissions into our bug bounty program should be sent to [email protected]. No other channels should be used to discuss or communicate Armis vulnerabilities.
Your submission should be accompanied by a detailed description of the finding and clear step-by-step actions that were and can be taken to validate the finding. Please provide information about your system’s configuration, including your browser, OS, and product version, and your IP address associated with your activities in your submission, to match with our logs. If a working POC has also been established to validate and prove the finding, please share this as well.
The Armis Security Team strives to confirm receipt within 2 business days of a vulnerability submission.
Low-quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process.
Please submit only one finding per submission.
Remediation & Disclosure
After triage, we will send a quick acknowledgment and will try to be as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information, or your qualification for a reward.
Researchers participating in our program must ensure that Armis has the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses vulnerability or exploits information to the public. Any disclosure to the public without prior Armis agreement and our ability to analyze and resolve the vulnerability will result in the forfeit of any potential reward and a permanent ban from our program.
Armis follows a 90-day disclosure policy, which means that we strive to remediate issues within 90 days of submission receipt.
Armis strives to meet the following response targets for each submission:
- Time to first response (from submission date): 2 business days
- Time to triage (from first response): 3 business days
- Time to reward (from triage): 10 business days
We’ll try to keep you informed about our progress throughout the process.
The decision to grant a reward for the discovery of a valid security issue is at our sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your submission, ease of exploit, and overall risk to Armis users and our brand.
Bounties will be paid directly to the researcher using Paypal.
You will be solely responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.
To be eligible for a reward, you must not:
- Participate from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria,
- Be in violation of any national, state, or local law or regulation,
- Be employed by Armis or its subsidiaries or affiliates,
- Be an immediate family member of a person employed by Armis or its subsidiaries or affiliates,
- Be under 18 years of age.
Any activities conducted in a manner consistent with this policy, as determined by Armis in its sole discretion, will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
This is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice.