Armis is highly committed to safeguarding customer information and maintaining a highly available solution in support of our customers. This includes welcoming security researchers to confirm our protection measures, and to privately and responsibly report where we may have noteworthy exposures. If a researcher’s submission is new and noteworthy, we may even offer a reward.
If you believe that you have identified a high to critical risk vulnerability associated with our SaaS offering, please read through the following content and if all criteria are met, proceed with submitting the vulnerability to Armis for review.
Each of the following rules must be followed without exception when participating in our bug bounty program:
The Armis Bug Bounty Program specifically applies to our SaaS offering. We are specifically interested in high/critical risk vulnerabilities that could allow attackers to materially disrupt our service or compromise IAM controls or customer or proprietary data (e.g. source code).
Note that submissions for vulnerabilities that do not directly apply to our SaaS offering will not be considered for further action or payout. Additionally, submissions that are deemed to pose an insignificant or non-security-related risk as determined at Armis’ sole discretion will not be eligible for a reward.
Only the first researcher to submit a noteworthy vulnerability to Armis will be considered for a potential reward. No subsequent submissions for the same vulnerability will be considered.
Armis SaaS Offering
As noted, only submissions that directly relate to specific high/critical risk vulnerabilities will be considered for a potential reward. The following is a non-exhaustive list of examples of submissions considered to be out-of-scope in terms of being considered for a potential reward.
Any submissions into our bug bounty program should be sent to [email protected]. No other channels should be used to discuss or communicate Armis vulnerabilities.
Your submission should be accompanied by a detailed description of the finding and clear step-by-step actions that were and can be taken to validate the finding. Please provide information about your system’s configuration, including your browser, OS, and product version, and your IP address associated with your activities in your submission, to match with our logs. If a working POC has also been established to validate and prove the finding, please share this as well.
The Armis Security Team strives to confirm receipt within 2 business days of a vulnerability submission.
Low-quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process.
Please submit only one finding per submission.
After triage, we will send a quick acknowledgment and will try to be as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information, or your qualification for a reward.
Researchers participating in our program must ensure that Armis has the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses vulnerability or exploits information to the public. Any disclosure to the public without prior Armis agreement and our ability to analyze and resolve the vulnerability will result in the forfeit of any potential reward and a permanent ban from our program.
Armis follows a 90-day disclosure policy, which means that we strive to remediate issues within 90 days of submission receipt.
Armis strives to meet the following response targets for each submission:
We’ll try to keep you informed about our progress throughout the process.
The decision to grant a reward for the discovery of a valid security issue is at our sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your submission, ease of exploit, and overall risk to Armis users and our brand.
Bounties will be paid directly to the researcher using Paypal.
You will be solely responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.
To be eligible for a reward, you must not:
Any activities conducted in a manner consistent with this policy, as determined by Armis in its sole discretion, will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
This is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice.