CrowdStrike encourages everyone to follow responsible disclosure procedures when reporting security issues in our products, services, websites, or infrastructure. We are committed to engaging with anyone reporting security vulnerabilities in a positive, professional, mutually beneficial manner that protects our customers.

To report non-security bugs, please contact our Technical Support Team

Out of Scope Vulnerabilities and Exclusions

  • Social engineering attempts on CrowdStrike personnel or our customers including e-mail phishing attacks and pre-text phone calls.
  • Any other vulnerabilities that involve directly sending email to CrowdStrike email addresses.
  • Physical attacks against CrowdStrike property and infrastructure, not limited to offices or Data Centers.
  • Vulnerabilities in a vendor we integrate with.
  • Use of automated tools that could generate significant traffic and possibly impair the functionality of products, including denial of service attacks.
  • Vulnerabilities in obsolete or end of life versions of our products.
  • Missing additional security controls, such as HSTS or CSP headers.
  • Login/Logout CSRF.
  • Breaking of SSL/TLS trust (unless you can provide working PoC).
  • Cookie's missing security flags (for non-sensitive cookies).
  • Brute-force / Rate-limiting / Velocity throttling.
  • Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.
  • Presence of autocomplete attribute on web forms.
  • ClickJacking / TabNabbing attacks
  • E-Mail spoofing.
  • Web content in our robots.txt file.
  • Banner Exposure / Version Disclosure.
  • Additional missing security controls often considered “Best practice”, such as certificate pinning or mitigating information disclosures.

If you do encounter personally identifiable information, customer data or other sensitive information, contact us immediately, do not proceed with access, and do not retain any copies of such information. The vulnerability report and all vulnerabilities therein as well as any confidential data accessed pursuant to a vulnerability shall be CrowdStrike confidential information and you shall (i) protect that information using at least a reasonable degree of care, (ii) not use such information other than to provide such information to CrowdStrike in connection with the program, and (iii) not divulge to any third person any such information until disclosure is approved in writing by CrowdStrike.