WalkMe will pay qualified security researchers, who have been registered to the Bounty Program subject to the criteria indicated below, a bounty for each confirmed security vulnerability as such term is defined below, provided that payment is not prohibited by law. We will pay rewards when the security vulnerability submitted is both previously unknown to WalkMe, and that in WalkMe’s sole discretion, such vulnerability may have an adverse impact on the level of security of the services provided by WalkMe (“Confirmed Security Vulnerability”).
Please note that your participation in the Bounty Program is voluntary and is subject to the conditions set forth herein (“Program Terms”). By registering to this Bounty Program, you acknowledge that you have read and agreed to these program terms.
Registration:
WalkMe manages its bug bounty via a private program on the BugCrowd platform, where testers with the relevant skills are selected amongst the top-tier hackers on the platform.
If you believe that you’ve found a security vulnerability and would like to report it to us, or if you have the relevant skill set and would like to join our bug bounty program, please register on the BugCrowd platform (registration is free) and send a request to [email protected] to be invited to our program.
Make sure to include the email with which you registered on the BugCrowd platform in your request!
General Participation Terms:
- You may not disclose any of the testing performed and/or findings of the security vulnerability to any third party, whether you are rewarded for them or not.
- WalkMe will provide you a sandbox environment for the purpose of identifying security vulnerabilities. You will not perform any testing on WalkMe’s production environment.
- You will perform the testing only on the platform WalkMe provides you and only within the timeframe set by WalkMe for this purpose.
- You shall not engage in testing that (i) results in a degradation of WalkMe’s systems, (ii) result in you, or any third party, accessing, storing, sharing or destroying WalkMe’s or customer’s data, (iii) may impact WalkMe’s customers.
- You hereby represent that you and any actions performed by you are and will be in compliance with all national, state or local law or regulation, and that your testings and findings will not infringe any third party rights (e.g. intellectual property rights).
- You may never store any WalkMe data you retrieve during the testing.
- You may submit up to three (3) security vulnerability issues at a time, so we can address them efficiently and effectively.
- You must perform the testing yourself, and not farm or subcontract your work out to anyone else.
- You will accept WalkMe’s decision to reject a security vulnerability issue as a confirmed security vulnerability.
- WalkMe will have sole discretion if to fix any security vulnerability issue you find or not.
- Failure to comply with the program terms will result in immediate disqualification from the Bounty Program.
Applicable Security Vulnerability Issues:
Please follow the following guidelines regarding the submitting of security vulnerability issues:
- Please provide a simple description of the security vulnerability, including a step-by-step reproducible test case. Source code, in a common language, which illustrates the vulnerability can be included as well.
- We will only accept security vulnerability issues that are classified as medium or higher critical severity.
The following types of security vulnerability issues are specifically excluded from the Bounty Program:
- Open redirects (through headers and parameters) / Lack of security speed bump when leaving the site.
- Text injection.
- Email spoofing (including SPF, DKIM, from spoofing, and visually similar, and related issues).
- Clickjacking and issues only exploitable through clickjacking.
- Lack of Secure and HTTP only cookie flags (critical systems may still be in scope).
- Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements.
- Username / email enumeration by brute forcing / error messages (e.g. login / signup / forgotten password).
- Exceptional cases may still be in scope (e.g. ability to enumerate email addresses via incrementing a numeric parameter).
- No Captcha or rate limit on Login Page.
- Denial of Service attacks.
- Misconfigured DNS issues.
- Vulnerable versions of third-party libraries (High severity vulnerabilities with a working Proof-of-Concept may still be accepted).
Bounty Rewards:
- You will be eligible to receive a monetary reward (“Bounty Reward”) if:
- You are the first person to submit a certain vulnerability;
- That vulnerability is determined by WalkMe’s Security team as a Confirmed Security Vulnerability;
- You have complied with the program Terms.
- The Bounty Reward will be between $50 to $3000 in WalkMe’s sole discretion based on the tiers below and on inter alia the following criteria: the potential impact of the security vulnerability; the severity of the security vulnerability; the type of data that will be disclosed affected by the security vulnerability.
Severity | Reward |
Critical | 1000$ – 3000$ |
High | 500$ – 1000$ |
Medium | 250$ – 500$ |
Low* | 50$ – 250$ |
* Low findings are generally not eligible for a reward but we may, at our discretion, choose to award a bounty for a submission which is considered low.
Ownership of Submissions
- As a condition of participation in the Bounty Program, you hereby grant WalkMe and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferable, sublicensable and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work form, make, use, sell or offer for sale the finding, right, know-how or correction learnt, developed or derived from the confirmed security vulnerability, as well as any materials submitted to WalkMe in connection therewith, for any purpose.
- You hereby represent and warrant that any security vulnerability submitted by you is original to you and you own all right, title and interest in and to the Security Vulnerability issues you have submitted under the Bounty Program.
- You hereby waive any and all claims of any nature, arising out of any disclosure of security vulnerability issues you have submitted to WalkMe under the Bounty Program.
Termination
In the case that you breach any of these Bounty Program terms; or WalkMe determines, in its sole discretion that your continued participation in the Bounty Program could adversely impact WalkMe, we may immediately terminate your participation in the Bounty Program and disqualify you from receiving bounty rewards.
Confidentiality
All information you receive or collect about WalkMe through the Bounty Program must be kept confidential and only used in connection to the Bounty Program. You may not disclose or distribute any of such confidential information, including any information about security vulnerability issues you have submitted to the Bounty Program, without WalkMe’s prior written consent.
Indemnification
You agree to defend, indemnify and hold WalkMe, its affiliates, officers, directors, employees, agents and suppliers harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party arising out of any security vulnerability issues you have submitted to the Bounty Program, your breach of these program terms and/or your improper use of these program terms.
The Bounty Program is subject to change or cancellation by WalkMe at any time, without notice. As such, WalkMe may amend the program terms and/or its policies at any time by posting a revised version on its website. By continuing to participate in the Bounty Program after WalkMe posts any such changes, you accept the program terms, as modified.
Hall of Fame
Thanks to the following researchers for reporting important security issues:
Mohamed Ouad
Amal Jacob
Harie_cool
proAbiral
Abhaychandra_Chede
Kazan71p
Shahzad_Sadiq
Loke Hui Yi (GovTech)
Khor Teck Chung (GovTech)
Jason Chan (GovTech)
Anurag Kumar Rawat