Vulnerability Disclosure Program (VDP)

VDPs are meant for responsibly reporting vulnerabilities you encounter — not for actively hunting for fame or reputation. Even if you're just starting out, consider focusing on rewarded bug bounty programs instead.

okta

BugcrowdView on Bugcrowd

RawAI Enhanced

In Scope

Out of Scope

In-Scope Assets (22)

Asset	Category	Bounty	Quick Links
Desktop MFA for Windows	OTHER	No	-
Desktop MFA for macOS	OTHER	No	-
Okta On-Prem Agents ( AD, LDAP, RDP, IWA )	OTHER	No	-
Okta Verify (Windows)	OTHER	No	-
Password Sync for macOS	OTHER	No	-
bugcrowd-pam-###.oktapreview.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
bugcrowd-pam-###.pam.oktapreview.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
http://app.scaleft.com/	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://apps.apple.com/us/app/okta-verify/id490179405	OTHER	No	-
https://apps.apple.com/us/app/okta-verify/id490179405	IOS	No	-
https://bugcrowd-pam-###-admin.oktapreview.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://bugcrowd-pam-###.at.oktapreview.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://bugcrowd-pam-###.oktapreview.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://bugcrowd-pam-###.workflows.oktapreview.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://help.okta.com/asa/en-us/Content/Topics/Adv_Server_Access/docs/client.htm	OTHER	No	-
https://help.okta.com/en/prod/Content/Topics/Adv_Server_Access/docs/sftd-windows.htm	OTHER	No	-
https://help.okta.com/en/prod/Content/Topics/Settings/download-browser-plugin.htm	OTHER	No	-
https://play.google.com/store/apps/details?id=com.okta.android.auth&hl=en_US&gl=US	ANDROID	No	Play Store
https://support.okta.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://www.okta.com/fastpass/	OTHER	No	-
https://www.okta.com/products/advanced-server-access/	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
personal.trexcloud.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal

Out-of-Scope Assets (17)

Asset	Category	Bounty
*.okta.com	URL	No
*.trexcloud.com	URL	No
Anything not explicitly called out above as in-scope	OTHER	No
AtSpoke - Entitlement bundles as a resource in access requests	URL	No
AtSpoke - Okta Workflows actions in access requests	URL	No
Backend Okta non-app infrastructure	OTHER	No
Network layer issues	OTHER	No
bugcrowd-%username%-1.oktapreview.com	URL	No
bugcrowd-%username%-2.oktapreview.com	URL	No
developer.okta.com	URL	No
https://app.scaleft.com/p/signup	URL	No
https://github.com/oktadev	URL	No
https://scaleft.com	URL	No
login.okta.com	URL	No
pages.okta.com	URL	No
trust.okta.com	URL	No
www.okta.com (static site)	URL	No