MicroStrategy Bug Bounty Program

About the Program

MicroStrategy's private bug bounty program, is limited to approved researchers and applies to versions 10.4x, 2019x, and 2020x of MicroStrategy software as well as MicroStrategy's assets including its corporate website. Researchers are approved based on factors such as the researcher's reputation, expertise, and prior experience. Approval is done at MicroStrategy's sole discretion. Approved researchers can be eligible for awards of up to $1,000 per unique vulnerability that is identified and reported responsibly to MicroStrategy.

The following guidelines apply to your participation in MicroStrategy's bug bounty program. By submitting a potential vulnerability report ("Submission"), you acknowledge that you have read and agreed to the terms of MicroStrategy's program ("Program Terms"). MicroStrategy may revise the Program Terms or terminate the bug bounty program at any time.

Eligibility

You are eligible to participate in MicroStrategy's bug bounty program only if you are approved by MicroStrategy, you are 18 years of age or older, you are participating in your individual capacity, and none of the following criteria exist:

You are on a United States sanction list or reside in a country under United States sanctions or that prohibits participation in a program like this
Your employment, contractual, or similar obligations prohibit your participation
You or an immediate family member is a MicroStrategy employee (or was in the six months before your Submission)
You failed to comply with the Program Terms
Making payment of a bounty to you is prohibited by a law, regulation, ethics rule, contract, or similar basis

MicroStrategy retains the sole discretion to determine eligibility. If we determine that your Submission is eligible and offer an award, we will notify you of the amount and provide you with paperwork that must be completed before we can provide the award payment.

General Guidelines

Respect the rules. Operate within the rules set forth by MicroStrategy.
Respect privacy. Make a good faith effort not to access or destroy another user's data.
Be patient. Make a good faith effort to clarify and support their reports upon request.
Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

Confidentiality

Unless MicroStrategy provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the MicroStrategy program, including discussions related to our program or any vulnerabilities (even if resolved).

Disclaimers/Prohibited Activities

For the avoidance of doubt, the following activities are expressly prohibited:

Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential MicroStrategy data or data belonging to MicroStrategy's business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with MicroStrategy (collectively, MicroStrategy Data)
Hacking, penetrating, or otherwise attempting to gain unauthorized access to MicroStrategy applications, systems, or MicroStrategy Data in violation of the Program Terms or applicable laws

MicroStrategy will not accept reports where the proof of concept is demonstrated on a third-party website.
Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing
Mass creation of accounts to perform testing against MicroStrategy applications and services

Conducting physical attacks against any MicroStrategy assets (e.g., MicroStrategy facilities and any equipment within MicroStrategy facilities)
Disrupting or otherwise adversely affecting MicroStrategy's business, the operation of any MicroStrategy applications or systems, or the use and protection of MicroStrategy Data

MicroStrategy reserves all rights and potential claims with respect to any such prohibited activities.

How to Make a Submission

To make a Submission, report the vulnerability directly and exclusively to us by contacting us through the Security Vulnerability Reporting Portal with the following information:

Summary: A detailed summary of the vulnerability, including: type of issue; location; product; version (if known); and configuration of any software, as appropriate
Instructions: Step-by-step instructions necessary to reproduce the issue or vulnerability including screenshots if applicable
Severity: Estimated severity and/or impact of the issue, if any
Attachments: Any relevant attachments

Submit Your Bug

Researcher Do's and Dont's

Do

Research and make reports in good faith while working collaboratively with MicroStrategy
Respect our customers' and employees' privacy
Only interact with accounts you own or have express permission to use
Only include one vulnerability per report, unless vulnerabilities must be chained to show the impact
Include detailed reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward
Verify all reports before submission
Contact us if you are uncertain whether to continue testing the potential vulnerability or have any other questions
Report potential vulnerabilities directly and exclusively to us

Do Not

Leave any system in a more vulnerable state than you found it
Perform any actions that require contact with MicroStrategy employees or customers (other than the MicroStrategy technical teams administering the bug bounty program)
Harm or exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability
Intentionally access any MicroStrategy Data except to the extent necessary to prove that a vulnerability exists or to identify an indicator related to a vulnerability
Compromise the privacy or safety of any MicroStrategy employees, customers, or other third parties
Compromise the intellectual property or other commercial or financial interests of any MicroStrategy companies, employees, customers, or other third parties

Out of Scope Vunerabilities

When reporting vulnerabilities, please consider the attack scenario / exploitability and the security impact of the bug. The following issues are considered out of scope and will be ineligible for an award (this list is subject to change at any time):

Html injection and Self-XSS
Open redirects
Missing cookie flags
SSL/TLS best practices
Information disclosures
Mixed content warnings
Denial of Service attacks and Distributed Denial of Service attacks
Host header and banner grabbing issues
Clickjacking with no sensitive actions
UI redressing
Missing CSFR token
Any non-MicroStrategy applications or assets, unless it's a MicroStrategy modified or branded version
Missing security-related HTTP headers which do not lead directly to a vulnerability
Internal pivoting, scanning, exploiting, or exfiltrating data from internal MicroStrategy systems

Attacks requiring MITM or physical access to a user's device
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Account/e-mail enumeration
Reflected file download attacks
Incomplete or missing SPF/DKIM
Physical or social engineering attacks
Results of automated tools or scanners
Recently disclosed 0-day vulnerabilities
Login/logout/unauthenticated/low-impact CSRF
Presence of autocomplete attribute on web forms
CVE's affecting outdated browsers or platforms

Using unreported vulnerabilities to find other bugs
Self-exploitation (i.e. password reset links or cookie reuse)
Issues related to networking protocols or industry standards
XSS in Flash files not developed by MicroStrategy, e.g. third-party ads
Use of a known-vulnerable library (without proof of exploitability)
Descriptive/verbose/unique error pages (without proof of exploitability)
Any MicroStrategy developed software and third-party software that is End of Life or no longer supported
Clickjacking or UI Redressing attack
brute force attacks
XSS in HTML containers

What You Can Expect From Us

We take every disclosure seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like MicroStrategy and the broader Internet community. We will investigate every disclosure and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.

MicroStrategy will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:

Time to first response (from report submit date) = 5 business days
Time to triage (from report submit date) = 15 business days
Time to bounty (from triage date) = 30 business days

Researchers will be kept informed about our progress throughout the process.

Rewards

Please note these are general guidelines, and that reward decisions are in MicroStrategy's sole discretion. Decisions on the amount of a reward will be guided by severity per CVSS V.3.0 (the Common Vulnerability Scoring Standard).

Critical (9.0 - 10.0) = $500 - $1,000
High (7.0 - 8.9) = $300 - $500
Medium (4.0 - 6.9) = $100 - $300
Low (0.1 - 3.9) = $20 - $100

Duplicate Reports

When multiple researchers report the same vulnerability, only the first Submission will be eligible for a reward (if it meets all other requirements). Multiple vulnerabilities caused by one underlying issue will be eligible for only one award. Vulnerabilities already known by MicroStrategy are not eligible for an award. MicroStrategy's decision on eligibility and the amount of any award are final and binding.

Payments

Payments will be via PayPal.

Thank you for Helping to Protect MicroStrategy’s Systems and Customers