Security is top of mind at Tanium. We believe partnering with the security community benefits our customers and our software, and, therefore, we have a bug bounty program that provides rewards to researchers who disclose security vulnerabilities in a responsible manner.
Disclosure Guidelines , this program policy supersedes HackerOne’s guidelines in case of conflicting statements. By submitting a vulnerability, you acknowledge that:
- You have read and agreed to the Tanium Bug Bounty Program Policy and acknowledge that Tanium retains full discretion to interpret and apply the terms of the program, including any individual’s eligibility for or modification of program rewards.
- You are representing that you have authority to participate in this program and that you have obtained from your employer all authorizations necessary to receive the prizes awarded, and that in doing so, you are in compliance with all applicable laws, regulations, and your employer’s policies regarding the acceptance of any rewards.
Program Rules
- Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- Securely destroy any confidential information you may have obtained.
- Participation in Tanium’s program does not create an employment relationship.
- All reports submitted shall be deemed a “work made for hire” as defined in 17 U.S.C. Section 101 for Tanium and Tanium shall be the sole owner of the reports. You irrevocably assign to Tanium all rights, title, and interest, including all intellectual property rights, to the reports.
Response Targets
If you identify and submit a security vulnerability in compliance with this policy, we will use reasonable efforts to meet the following response targets:
- Time to first response – 5 business days from submission
- Time to triage – 5 business days from first response
- Time to resolution, including potential mitigation and fixes, as well as security advisory – will vary depending on the severity and complexity of the vulnerability
If you identify and submit a security vulnerability in compliance with this policy, we will use reasonable efforts to meet the following response targets:
- Details about all vulnerabilities (even resolved ones) must remain private unless you receive express consent from Tanium.
- Tanium communicates security advisories to its customers via a private communication channel and does not file for CVEs. Although security advisories are not public and will not be visible to researchers, Tanium will:
- Credit researchers in the private security advisories, unless researchers opt out.
- Provide researchers with the security advisory ID associated with their finding.
Rewards
Our rewards are based on a variety of factors, including severity per the CVSSv3 (Common Vulnerability Scoring Standard) and impacted asset. Please note that these are general guidelines, and reward decisions are up to the discretion of Tanium.
The following individuals may not qualify for certain rewards including monetary awards:
- Tanium employees and contractors, and any other workers performing services for Tanium.
- Employees and contractors of Tanium customers or pending customers, and any other workers performing services for a Tanium customer or pending customer who identify a vulnerability as part of their normal job responsibilities.
- Residents of any embargoed and sanctioned countries as promulgated by the United States Government, which currently include Cuba, Iran, North Korea, Syria, Russia, Belarus, and certain covered regions of Ukraine and any other Specially Designated Nationals as identified by the U.S. Office of Foreign Assets Control, as may be updated from time to time.
- The immediate family members of, or individuals residing in the same household as, any of the individuals described above.
In Scope
- Any website on the tanium.com domain or related Tanium domains. (e.g. tanium.com , content.tanium.com , docs.tanium.com , tan-stage.com, taniumcloud.com)
- Tanium Core Platform
- Tanium Products and Supported Solutions
Out of Scope
When reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug. For example, the following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Vulnerable libraries without a working Proof of Concept.
- Missing configuration best practices without a working Proof of Concept.
- Denial of Service (DoS) attacks against our web properties.
- Spam or social engineering techniques.
- Tanium Labs content.
- Vulnerabilities in third-party Tanium integrations including applications, services, or sensors.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered conduct authorized by Tanium. If legal action is initiated by a third party against you in connection with Internal Use\Confidential activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Tanium and our users safe!