MicroStrategy Bug Bounty Program
A private bug bounty program for the public security researcher community to help us to ensure the security and privacy of our customers and data.
About the Program
MicroStrategy's private bug bounty program, is limited to approved researchers and applies to versions 10.4x, 2019x, and 2020x of MicroStrategy software as well as MicroStrategy's assets including its corporate website. Researchers are approved based on factors such as the researcher's reputation, expertise, and prior experience. Approval is done at MicroStrategy's sole discretion. Approved researchers can be eligible for awards of up to $1,000 per unique vulnerability that is identified and reported responsibly to MicroStrategy.
The following guidelines apply to your participation in MicroStrategy's bug bounty program. By submitting a potential vulnerability report ("Submission"), you acknowledge that you have read and agreed to the terms of MicroStrategy's program ("Program Terms"). MicroStrategy may revise the Program Terms or terminate the bug bounty program at any time.
You are eligible to participate in MicroStrategy's bug bounty program only if you are approved by MicroStrategy, you are 18 years of age or older, you are participating in your individual capacity, and none of the following criteria exist:
- You are on a United States sanction list or reside in a country under United States sanctions or that prohibits participation in a program like this
- Your employment, contractual, or similar obligations prohibit your participation
- You or an immediate family member is a MicroStrategy employee (or was in the six months before your Submission)
- You failed to comply with the Program Terms
- Making payment of a bounty to you is prohibited by a law, regulation, ethics rule, contract, or similar basis
MicroStrategy retains the sole discretion to determine eligibility. If we determine that your Submission is eligible and offer an award, we will notify you of the amount and provide you with paperwork that must be completed before we can provide the award payment.
- Respect the rules. Operate within the rules set forth by MicroStrategy.
- Respect privacy. Make a good faith effort not to access or destroy another user's data.
- Be patient. Make a good faith effort to clarify and support their reports upon request.
- Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
Unless MicroStrategy provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the MicroStrategy program, including discussions related to our program or any vulnerabilities (even if resolved).
For the avoidance of doubt, the following activities are expressly prohibited:
- Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential MicroStrategy data or data belonging to MicroStrategy's business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with MicroStrategy (collectively, MicroStrategy Data)
- Hacking, penetrating, or otherwise attempting to gain unauthorized access to MicroStrategy applications, systems, or MicroStrategy Data in violation of the Program Terms or applicable laws
- MicroStrategy will not accept reports where the proof of concept is demonstrated on a third-party website.
- Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing
- Mass creation of accounts to perform testing against MicroStrategy applications and services
- Conducting physical attacks against any MicroStrategy assets (e.g., MicroStrategy facilities and any equipment within MicroStrategy facilities)
- Disrupting or otherwise adversely affecting MicroStrategy's business, the operation of any MicroStrategy applications or systems, or the use and protection of MicroStrategy Data
MicroStrategy reserves all rights and potential claims with respect to any such prohibited activities.
How to Make a Submission
To make a Submission, report the vulnerability directly and exclusively to us by contacting us through the Security Vulnerability Reporting Portal with the following information:
- Summary: A detailed summary of the vulnerability, including: type of issue; location; product; version (if known); and configuration of any software, as appropriate
- Instructions: Step-by-step instructions necessary to reproduce the issue or vulnerability including screenshots if applicable
- Severity: Estimated severity and/or impact of the issue, if any
- Attachments: Any relevant attachments
Researcher Do's and Dont's
- Research and make reports in good faith while working collaboratively with MicroStrategy
- Respect our customers' and employees' privacy
- Only interact with accounts you own or have express permission to use
- Only include one vulnerability per report, unless vulnerabilities must be chained to show the impact
- Include detailed reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward
- Verify all reports before submission
- Contact us if you are uncertain whether to continue testing the potential vulnerability or have any other questions
- Report potential vulnerabilities directly and exclusively to us
- Leave any system in a more vulnerable state than you found it
- Perform any actions that require contact with MicroStrategy employees or customers (other than the MicroStrategy technical teams administering the bug bounty program)
- Harm or exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability
- Intentionally access any MicroStrategy Data except to the extent necessary to prove that a vulnerability exists or to identify an indicator related to a vulnerability
- Compromise the privacy or safety of any MicroStrategy employees, customers, or other third parties
- Compromise the intellectual property or other commercial or financial interests of any MicroStrategy companies, employees, customers, or other third parties
Out of Scope Vulnerabilities
When reporting vulnerabilities, please consider the attack scenario / exploitability and the security impact of the bug. The following issues are considered out of scope and will be ineligible for an award (this list is subject to change at any time):
- Html injection and Self-XSS
- Open redirects
- Missing cookie flags
- SSL/TLS best practices
- Information disclosures
- Mixed content warnings
- Denial of Service attacks and Distributed Denial of Service attacks
- Host header and banner grabbing issues
- Clickjacking with no sensitive actions
- UI redressing
- Missing CSFR token
- Any non-MicroStrategy applications or assets, unless it's a MicroStrategy modified or branded version
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Internal pivoting, scanning, exploiting, or exfiltrating data from internal MicroStrategy systems
- Attacks requiring MITM or physical access to a user's device
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Account/e-mail enumeration
- Reflected file download attacks
- Incomplete or missing SPF/DKIM
- Physical or social engineering attacks
- Results of automated tools or scanners
- Recently disclosed 0-day vulnerabilities
- Login/logout/unauthenticated/low-impact CSRF
- Presence of autocomplete attribute on web forms
- CVE's affecting outdated browsers or platforms
- Using unreported vulnerabilities to find other bugs
- Self-exploitation (i.e. password reset links or cookie reuse)
- Issues related to networking protocols or industry standards
- XSS in Flash files not developed by MicroStrategy, e.g. third-party ads
- Use of a known-vulnerable library (without proof of exploitability)
- Descriptive/verbose/unique error pages (without proof of exploitability)
- Any MicroStrategy developed software and third-party software that is End of Life or no longer supported
- Clickjacking or UI Redressing attack
- Brute force attacks
- XSS in HTML containers
What You Can Expect From Us
We take every disclosure seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like MicroStrategy and the broader Internet community. We will investigate every disclosure and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.
MicroStrategy will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:
- Time to first response (from report submit date) = 5 business days
- Time to triage (from report submit date) = 15 business days
- Time to bounty (from triage date) = 30 business days
Researchers will be kept informed about our progress throughout the process.
Please note these are general guidelines, and that reward decisions are in MicroStrategy's sole discretion. Decisions on the amount of a reward will be guided by severity per CVSS V.3.0 (the Common Vulnerability Scoring Standard).
- Critical (9.0 - 10.0) = $500 - $1,000
- High (7.0 - 8.9) = $300 - $500
- Medium (4.0 - 6.9) = $100 - $300
- Low (0.1 - 3.9) = $20 - $100
When multiple researchers report the same vulnerability, only the first Submission will be eligible for a reward (if it meets all other requirements). Multiple vulnerabilities caused by one underlying issue will be eligible for only one award. Vulnerabilities already known by MicroStrategy are not eligible for an award. MicroStrategy's decision on eligibility and the amount of any award are final and binding.
Payments will be via PayPal.