Report A Security Issue
We are committed to the security of our users
and appreciate your help in improving our products.
Rewards:
Depending on the severity of the bug and the product,
we offer bug bounty up to $8K.
Note: If you would like to report a non-security related bug, please contact our Technical Support Team.
Scope Exclusions
Known vulnerabilities are not in scope, and some reports may be marked as duplicates if the root cause closely aligns with an already claimed report. SentinelOne intends to award the maximum allowable bounty for every valid report.
We encourage hackers to contact us at [email protected] before and after submitting reports to help avoid duplicates.
In cases where a bug is found on a third-party service hosted within our wildcard domain, SentinelOne will determine awards on a case-by-case basis.
Please note that we use CVSS to consistently score vulnerabilities. There may be internal mitigations or controls that affect the CVSS score and thus final assessed severity.
We encourage hackers to contact us at [email protected] before and after submitting reports to help avoid duplicates.
In cases where a bug is found on a third-party service hosted within our wildcard domain, SentinelOne will determine awards on a case-by-case basis.
Please note that we use CVSS to consistently score vulnerabilities. There may be internal mitigations or controls that affect the CVSS score and thus final assessed severity.
The following issues are considered out of scope:
| Exclusion Name | Details |
|---|---|
| Clickjacking with No Sensitive Actions | Clickjacking on pages that do not involve sensitive actions. |
| CSRF on Non-Sensitive Forms | Cross-site request forgery (CSRF) on unauthenticated forms or forms without sensitive actions. |
| Known Vulnerable Libraries | Previously known vulnerable libraries without a working proof of concept. |
| Service Disruption Activities | Any activity that could lead to the disruption of our service (DoS). |
| Content Spoofing/Text Injection | Content spoofing and text injection issues without showing an attack vector or the ability to modify HTML/CSS. |
| Rate Limiting on Non-Auth Endpoints | Rate limiting or brute force issues on non-authentication endpoints. |
| Content Security Policy Best Practices | Missing best practices in Content Security Policy. |
| Email Best Practices | Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.). |
| Outdated Browser Vulnerabilities | Vulnerabilities affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version). |
| Information Disclosure | Software version disclosure, banner identification issues, descriptive error messages, or headers (e.g., stack traces, application or server errors). |
| Recent Zero-Day Vulnerabilities | Public zero-day vulnerabilities that have had an official patch for less than one month (awarded on a case-by-case basis). |
| Tabnabbing | Issues related to tabnabbing. |
| Open Redirects Without Impact | Open redirects unless an additional security impact can be demonstrated. |
| Unlikely User Interaction | Issues that require unlikely user interaction. |
| Accessing Debug Information | Accessing debug information without exploitable impact. |
| Data Dumps | Data dumps are not in scope, but the impact from data dumps may be considered on a case-by-case basis. |
Disclosure Policy
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside the program without written consent from SentinelOne.
- Follow HackerOne’s disclosure guidelines.
Program Rules
Please adhere to the following rules when participating in our bug bounty program:
| Rule Name | Rule Details |
|---|---|
| Provide Detailed Reports | Submit detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, it will not be eligible for a reward. |
| Specify Product Version | The product version (console/agent) must be mentioned in the initial report and during retesting. |
| No Unauthorized Data Access | Accessing any customer data or SentinelOne internal data is strictly prohibited. If you have inadvertently encountered customer data, immediately stop testing and notify [email protected]. |
| One Vulnerability per Report | Submit one vulnerability per report unless you need to chain vulnerabilities to demonstrate impact. |
| Duplicate Reports | When duplicates occur, only the first report that can be fully reproduced will be awarded. |
| Single Bounty for Related Issues | Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. |
| No Social Engineering | Social engineering (e.g., phishing, vishing, smishing) is prohibited. |
| Avoid Service Disruption | Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or have explicit permission for. |
| Use Isolated Environments | Install agents within a separate, non-personal environment that is encapsulated. |
| Respect Other Researchers | Do not disrupt or impede the work or deployments of other researchers. |
| Consult Documentation | For console testing, please read the documentation in the "Help" section located in the top right corner of the console. |
Reporting Format Recommendations
We are excited to see what you can accomplish with our products, but sometimes misunderstandings can occur. To ensure faster payouts and smoother communication, if possible please include the following in your reports:
- When possible upload a video: Seeing the attack path is truly powerful.
- Provide description: Explain what you believe is happening and how the vulnerability works.
- Impact: Articulate how this bug could affect SentinelOne or our customers.