WalkMe will pay qualified security researchers, who have been registered to the Bounty Program subject to the criteria indicated below, a bounty for each confirmed security vulnerability as such term is defined below, provided that payment is not prohibited by law. We will pay rewards when the security vulnerability submitted is both previously unknown to WalkMe, and that in WalkMe’s sole discretion, such vulnerability may have an adverse impact on the level of security of the services provided by WalkMe (“Confirmed Security Vulnerability”).
Please note that your participation in the Bounty Program is voluntary and is subject to the conditions set forth herein (“Program Terms”). By registering to this Bounty Program, you acknowledge that you have read and agreed to these program terms.
Registration to the Bounty Program:
This is a private program, and you can only participate if WalkMe notified you that the submission qualifies as a confirmed Security Vulnerability. Upon such confirmation, you will need to provide the following items in order to register to the Bounty Program:
- A copy of your passport picture.
- Your email address.
- Your current, valid, US/foreign postal address.
- A signed NDA which will be provided by WalkMe upon registration.
- The IP address of the computer on which you plan to perform the testing.
- Paypal account details to which you would like WalkMe to pay any applicable rewards.
Submissions should be made to WalkMe Security team:
Please use a subject line describing the Security Vulnerability you found, and use the same subject line for any future correspondence. We will attempt to acknowledge receipt of your submission within ten (10) business days of receiving it.
General Participation Terms:
- You may not disclose any of the testing performed and/or findings of the security vulnerability to any third party, whether you are rewarded for them or not.
- WalkMe will provide you a sandbox environment for the purpose of identifying security vulnerabilities. You will not perform any testing on WalkMe’s production environment.
- You will perform the testing only on the platform WalkMe provides you and only within the timeframe set by WalkMe for this purpose.
- You shall not engage in testing that (i) results in a degradation of WalkMe’s systems, (ii) result in you, or any third party, accessing, storing, sharing or destroying WalkMe’s or customer’s data, (iii) may impact WalkMe’s customers.
- You hereby represent that you and any actions performed by you are and will be in compliance with all national, state or local law or regulation, and that your testings and findings will not infringe any third party rights (e.g. intellectual property rights).
- You may never store any WalkMe data you retrieve during the testing.
- You may submit up to three (3) security vulnerability issues at a time, so we can address them efficiently and effectively.
- You must perform the testing yourself, and not farm or subcontract your work out to anyone else.
- You will accept WalkMe’s decision to reject a security vulnerability issue as a confirmed security vulnerability.
- WalkMe will have sole discretion if to fix any security vulnerability issue you find or not.
- Failure to comply with the program terms will result in immediate disqualification from the Bounty Program.
Applicable Security Vulnerability Issues:
Please follow the following guidelines regarding the submitting of security vulnerability issues:
- Please provide a simple description of the security vulnerability, including a step-by-step reproducible test case. Source code, in a common language, which illustrates the vulnerability can be included as well.
- We will only accept security vulnerability issues that are classified as medium / higher critical severity.
The following types of security vulnerability issues are specifically excluded from the Bounty Program:
- Open redirects (through headers and parameters) / Lack of security speed bump when leaving the site.
- Text injection.
- Email spoofing (including SPF, DKIM, from spoofing, and visually similar, and related issues).
- Clickjacking and issues only exploitable through clickjacking.
- Lack of Secure and HTTP only cookie flags (critical systems may still be in scope).
- Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements.
- Username / email enumeration by brute forcing / error messages (e.g. login / signup / forgotten password).
- Exceptional cases may still be in scope (e.g. ability to enumerate email addresses via incrementing a numeric parameter).
- No Captcha or rate limit on Login Page.
- Denial of Service attacks.
- Misconfigured DNS issues.
- Vulnerable versions of third-party libraries (High severity vulnerabilities with a working Proof-of-Concept may still be accepted).
- You will be eligible to receive a monetary reward (“Bounty Reward”) if:
- You are the first person to submit a certain vulnerability;
- That vulnerability is determined by WalkMe’s Security team as a Confirmed Security Vulnerability;
- You have complied with the program Terms.
- The Bounty Reward will be between $50 to $3000 in WalkMe’s sole discretion based on the tiers below and on inter alia the following criteria: the potential impact of the security vulnerability; the severity of the security vulnerability; the type of data that will be disclosed affected by the security vulnerability.
|Critical||1000$ – 3000$|
|High||500$ – 1000$|
|Medium||250$ – 500$|
|Low||50$ – 250$|
- The severity level will be determined by WalkMe and provided to the researcher after their registration to the Bounty Program.
- WalkMe will pay the reward within 60 days from the end of the period set by WalkMe for the testing.
- Payments will be made in USD.
- You will be responsible for any tax implications related to the bounty rewards you receive, as determined by the laws of your jurisdiction of residence or citizenships.
- . The researcher will need to provide an invoice.
- The researcher will need to provide a Bank name and Address.
- If the researcher located in the United States the following information is needed: ABA / Routing number, Bank account number
- If the researcher is located outside of the United States the following information is needed: SWIFT, IBAN Number
Ownership of Submissions
- As a condition of participation in the Bounty Program, you hereby grant WalkMe and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferable, sublicensable and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work form, make, use, sell or offer for sale the finding, right, know-how or correction learnt, developed or derived from the confirmed security vulnerability, as well as any materials submitted to WalkMe in connection therewith, for any purpose.
- You hereby represent and warrant that any security vulnerability submitted by you is original to you and you own all right, title and interest in and to the Security Vulnerability issues you have submitted under the Bounty Program.
- You hereby waive any and all claims of any nature, arising out of any disclosure of security vulnerability issues you have submitted to WalkMe under the Bounty Program.
In the case that you breach any of these Bounty Program terms; or WalkMe determines, in its sole discretion that your continued participation in the Bounty Program could adversely impact WalkMe, we may immediately terminate your participation in the Bounty Program and disqualify you from receiving bounty rewards.
All information you receive or collect about WalkMe through the Bounty Program must be kept confidential and only used in connection to the Bounty Program. You may not disclose or distribute any of such confidential information, including any information about security vulnerability issues you have submitted to the Bounty Program, without WalkMe’s prior written consent.
You agree to defend, indemnify and hold WalkMe, its affiliates, officers, directors, employees, agents and suppliers harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party arising out of any security vulnerability issues you have submitted to the Bounty Program, your breach of these program terms and/or your improper use of these program terms.
The Bounty Program is subject to change or cancellation by WalkMe at any time, without notice. As such, WalkMe may amend the program terms and/or its policies at any time by posting a revised version on its website. By continuing to participate in the Bounty Program after WalkMe posts any such changes, you accept the program terms, as modified.
Hall of Fame
Thanks to the following researchers for reporting important security issues: