Check Point Bug Bounty Program Policy


1. Overview

Check Point Software Technologies Ltd. (“Check Point”, “we”, “us”) operates a private Bug Bounty Program hosted
on HackerOne (the “Program”). The Program allows invited security researchers (“you”, “Researcher”) to identify
and report security vulnerabilities in certain Check Point assets.

By accessing the Program, testing in-scope assets, or submitting a report (“Submission”), you agree to this
Program Policy (the “Policy”). If you do not agree, do not participate.

IMPORTANT: Strict confidentiality applies. Public disclosure is prohibited.

2. Eligibility

To participate, you must meet all of the following conditions:

  1. Invite-only: The Program is private. You may participate only if invited and accepted by
    Check Point/HackerOne.
  2. Identity verification: You must complete HackerOne identity verification (if
    requested/required by HackerOne/Check Point).
  3. Age: You must be at least 18 years old.
  4. No Check Point insiders: Current Check Point employees, interns, contractors, consultants,
    and their immediate family members are not eligible.
  5. Sanctions / restricted locations: You may not participate if you are located in, resident
    of, or submitting from:
    Cuba, North Korea, Iran, Syria, Lebanon, Sudan, Crimea
    region, LNR, DNR,
    or otherwise prohibited under applicable sanctions/export-control laws. (HackerOne will
    block access from these locations.)
  6. Legal compliance: Your participation must comply with all applicable laws and regulations.

Check Point may suspend, revoke, or terminate your access at any time, with or without notice, in its sole
discretion (including if your participation could adversely impact Check Point or others).

3. Scope

3.1 In Scope

  • Check Point Portal only, as explicitly listed/defined in the Program’s “Scope” section on
    HackerOne (domains/URLs/assets as published there).

3.2 Out of Scope

Everything is out of scope unless explicitly listed as in scope, including without limitation:

  • Any Check Point product/service other than the Check Point Portal.
  • Any application/service accessible “from within” the Portal that is not the Portal itself.
  • Corporate IT, internal systems, endpoints, employee accounts/devices, third-party systems, suppliers, or
    partners.
  • Any assets not explicitly listed on the HackerOne Scope page.

4. Rules of Engagement

You must act in good faith and minimize risk/harm. In particular:

4.1 Prohibited Testing

You must not, and must not attempt to:

  • Perform social engineering (phishing/vishing/smishing), impersonation, or contact Check Point
    employees/users to obtain access.
  • Conduct denial-of-service (DoS/DDoS) testing, traffic flooding, load testing, or any activity that degrades
    availability.
  • Use malware, ransomware, botnets, or destructive payloads.
  • Pivot beyond the minimum access needed to demonstrate the issue.
  • Create persistence, install backdoors/webshells, or maintain unauthorized access.
  • Attempt to alter, delete, or corrupt data.

4.2 Accounts & Access

  • Test only using accounts you own (or accounts explicitly provided/approved by Check Point for testing).
  • Do not test against accounts you do not control, and do not access other users’ data.

4.3 Automation & Rate Limits

  • Avoid excessive automation. Any automation must be safe and limited.
  • Unless explicitly authorized in writing by Check Point, you must not exceed 100 requests per minute to
    in-scope assets (Hyatt-style safeguard).

4.4 Data Handling (Privacy-First)

  • Do not intentionally access, download, retain, or share personal data, credentials,
    secrets, tokens, or sensitive customer information.
  • If you inadvertently access sensitive data:
    1. Stop immediately
    2. Report immediately via HackerOne
    3. Do not save or further disclose the data
    4. Delete it as soon as it is no longer strictly necessary to demonstrate impact and once Check Point

      5. confirms no further retention is needed

Violation of these rules may result in disqualification, loss of bounty eligibility, removal from the Program,
and potentially legal action.

5. Reporting Requirements

Submissions must be made only through the HackerOne platform. Do not contact Check Point employees directly
regarding vulnerabilities or bounties.

Each Submission must include:

  • Clear description of the vulnerability and affected in-scope asset
  • Reproduction steps
  • Proof of Concept (PoC)
  • Impact explanation (what can a real attacker achieve?)
  • Any relevant logs, screenshots, requests/responses, and test account details (redacted where required)

One vulnerability per report, unless chaining is necessary to demonstrate real impact.

Submissions that are not reproducible, are unclear, or lack a PoC may be closed and may not be eligible for a
reward.

6. What Counts as a Valid Vulnerability

A valid vulnerability is a bug in an in-scope Check Point asset that results in a meaningful security violation,
including for example:

  • Account takeover
  • Unauthorized access to data
  • Privilege escalation / authorization bypass (e.g., IDOR)
  • Remote code execution
  • Sensitive data exposure with demonstrable impact
  • Other issues that create material risk to customers or Check Point as an organization

Check Point Security determines validity and severity.

7. Duplicates and Related Reports

  • Only the first valid report of a given issue is eligible for a bounty.
  • Multiple manifestations of the same underlying root cause may be treated as one issue (one bounty).
  • Check Point may, at its discretion, award partial recognition if a later report provides genuinely new,
    material information—no obligation.

8. Bounties and Rewards

8.1 General

  • Participation in the Program does not guarantee a bounty payment. All bounty payments are voluntary,
    discretionary, and subject to Check Point’s sole determination.
  • No bounty will be awarded for issues already known to Check Point or previously reported through any
    channel.
  • Check Point Security retains sole and absolute authority to determine, in its discretion:
    • (i) whether a reported issue constitutes a valid vulnerability,
    • (ii) whether a submission qualifies for a bounty,
    • (iii) the severity classification of any vulnerability,
    • (iv) the amount of any bounty, if awarded,
    • (v) and whether multiple reports relate to the same underlying issue.
  • Severity classification may be determined using internal security assessment methodologies, including but
    not limited to industry standards (such as CVSS), business impact, exploitability, risk to customers,
    operational impact, and other factors deemed relevant by Check Point.
  • Researchers may provide additional information or request reconsideration through the HackerOne platform;
    however, all determinations made by Check Point are final and binding.
  • Check Point reserves the right, in its sole discretion, to decline or adjust bounty payments, including in
    situations such as:
    • duplicate submissions,
    • low-quality or incomplete reports,
    • issues with limited or theoretical impact,
    • policy violations during testing,
    • or any other circumstances Check Point deems appropriate.

8.2 Severity Ranges (Current Guidance; Subject to Change)

The following bounty ranges represent general guidance only and are not guaranteed payouts. Final bounty amounts
may fall within or outside these ranges at Check Point’s discretion.

  • Low: $100–$150
  • Medium: $300–$500
  • High: $750–$1,000
  • Critical: $2,500–$3,000

Severity levels and bounty ranges may be modified, expanded, reduced, or withdrawn at any time, without prior
notice.

8.3 Budget Cap / Program Pausing

Bounty payments are subject to available program budget.

If the allocated bounty budget is exhausted, Check Point may, at its sole discretion:

  1. allocate additional funds to the bounty pool (subject to internal approvals), or
  2. pause, modify, or terminate the Program until additional funding is approved.

Check Point shall have no obligation to continue awarding bounties if the Program is paused or terminated.

9. Payments and Taxes

  • All payments are processed by HackerOne only, in cash.
  • Check Point does not pay Researchers directly.
  • You will be responsible for any tax implications related to any bounty payment you receive, as determined by
    the laws of your jurisdiction.

10. Confidentiality and Non-Disclosure

This Program is confidential.

You must not publicly disclose or privately share with any third party:

  • The existence of the Program (if designated private),
  • Any finding, vulnerability, Submission, PoC, security weakness, exploit details,
  • Any communications with Check Point/HackerOne about the Program,
  • Any non-public information learned through participation.

Disclosure is permitted only to Check Point via HackerOne, and only as required to report the vulnerability.

No exceptions unless you obtain express prior written approval from Check Point Legal.

Breach of confidentiality may result in immediate removal and disqualification, with forfeiture of any current or
future payments under the Program, and Check Point may pursue legal remedies including injunctive relief,
specific performance, and claims for damages.

11. IP Ownership and Assignment

As a condition of participation and in exchange for consideration including potential bounty eligibility:

  • You hereby assign to Check Point all right, title, and interest in and to any Submission and related
    materials, including without limitation: reports, write-ups, PoC code, exploit scripts, documentation,
    screenshots, and derivative works (the “Materials”).
  • The assignment is worldwide, irrevocable, perpetual, and includes all intellectual property rights.
  • You waive moral rights to the extent permitted by law and agree to execute any further documents reasonably
    required to perfect these rights.

You represent that your Submission is original and that you have the right to make this assignment.

12. Safe Harbor

If you act in good faith and comply with this Policy, Check Point will consider your testing
authorized under this Program and will not initiate legal action against you solely for
activities performed in accordance with this Policy.

Safe harbor does not apply if you:

  • Act outside scope
  • Violate confidentiality
  • Exfiltrate or retain data
  • Cause disruption/degradation
  • Engage in social engineering/extortion
  • Break the law

13. SLAs (Response Targets)

Check Point will make a best effort to meet these targets (severity-based):

  • Time to first response: 1–2 business days.
  • Triage and remediation targets: based on severity and standard SLAs:
    • Critical: 1 week
    • High: 3 weeks
    • Medium: 3 months
    • Low: 1 year

(These are targets, not guarantees.)

14. Changes, Suspension, and Termination

Check Point may modify this Policy, scope, reward ranges, or Program operation at any time. Continued
participation after changes means you accept the updated Policy.

Check Point may suspend/terminate the Program or your access at any time, with or without notice.

15. Limitation of Liability

To the maximum extent permitted by law, Check Point shall not be liable for any indirect, incidental,
consequential, or special damages arising out of or related to this Program. Total liability shall not exceed
USD 3,000.00.

16. Governing Law and Venue

This Policy is governed by the laws of the State of Israel. Exclusive jurisdiction and venue shall be the
competent courts in Tel Aviv–Yafo, Israel.