MicroStrategy's private bug bounty program, is limited to approved researchers and applies to versions 10.4x, 2019x, and 2020x of MicroStrategy software as well as MicroStrategy's assets including its corporate website. Researchers are approved based on factors such as the researcher's reputation, expertise, and prior experience. Approval is done at MicroStrategy's sole discretion. Approved researchers can be eligible for awards of up to $1,000 per unique vulnerability that is identified and reported responsibly to MicroStrategy.
The following guidelines apply to your participation in MicroStrategy's bug bounty program. By submitting a potential vulnerability report ("Submission"), you acknowledge that you have read and agreed to the terms of MicroStrategy's program ("Program Terms"). MicroStrategy may revise the Program Terms or terminate the bug bounty program at any time.
You are eligible to participate in MicroStrategy's bug bounty program only if you are approved by MicroStrategy, you are 18 years of age or older, you are participating in your individual capacity, and none of the following criteria exist:
MicroStrategy retains the sole discretion to determine eligibility. If we determine that your Submission is eligible and offer an award, we will notify you of the amount and provide you with paperwork that must be completed before we can provide the award payment.
Unless MicroStrategy provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the MicroStrategy program, including discussions related to our program or any vulnerabilities (even if resolved).
For the avoidance of doubt, the following activities are expressly prohibited:
MicroStrategy reserves all rights and potential claims with respect to any such prohibited activities.
To make a Submission, report the vulnerability directly and exclusively to us by contacting us through the Security Vulnerability Reporting Portal with the following information:
When reporting vulnerabilities, please consider the attack scenario / exploitability and the security impact of the bug. The following issues are considered out of scope and will be ineligible for an award (this list is subject to change at any time):
We take every disclosure seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like MicroStrategy and the broader Internet community. We will investigate every disclosure and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.
MicroStrategy will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:
Researchers will be kept informed about our progress throughout the process.
Please note these are general guidelines, and that reward decisions are in MicroStrategy's sole discretion. Decisions on the amount of a reward will be guided by severity per CVSS V.3.0 (the Common Vulnerability Scoring Standard).
When multiple researchers report the same vulnerability, only the first Submission will be eligible for a reward (if it meets all other requirements). Multiple vulnerabilities caused by one underlying issue will be eligible for only one award. Vulnerabilities already known by MicroStrategy are not eligible for an award. MicroStrategy's decision on eligibility and the amount of any award are final and binding.
Payments will be via PayPal.