FireBounty
79207 policies in database
Link to program      
2023-06-13
Spacelift.io - Bug Bounty Program logo
Thank
Gift
HOF
Reward

Reward

Spacelift.io - Bug Bounty Program

About

Please keep the testing scope only* .app.spacelift.dev and spacelift.dev are included Please do not test the contact forms (especially HubSpot one)

Features in 20% Bonus scope

  1. Native K8S workers to manage these worker pools efficiently and K8S operators to manage Spacelift resources.
    Reference: https://docs.spacelift.io/vendors/kubernetes/getting-started
    Reference: https://docs.spacelift.io/integrations/kubernetes/operator

  2. The OIDC-based API keys can be used as an alternative to secret-based ones today.
    Reference: https://docs.spacelift.io/integrations/api.html#oidc-based-api-keys

  3. The MFA feature allows you to protect your external IdP session using security keys (FIDO2) managed in Spacelift. Even if your IDP account is compromised, it brings your identity as the last line of defense.
    Reference: https://spacelift-user-documentation-pr-396.onrender.com/product/security/mfa.html#multi-factor-authentication-mfa

For those features, all payouts will be increased by 20%

Bounty Program

At Spacelift, your security is our first and foremost priority. We're aware of the utmost importance of security in our service, and we're grateful for your trust. Here's what we're doing to earn and maintain this trust and to keep Spacelift secure by design. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!

In-scope vulnerabilities will be rewarded based on severity following remediation. The Spacelift private bug bounty program accepts vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. By participating in the Spacelift private bounty program you agree to follow all of the requirements below. We look forward to working with you to find security vulnerabilities in order to keep our businesses and customers safe. We’ll try to keep you informed about our progress throughout the process.

Rewards

We offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. Our rewards are based on severity per CVSS v3.0 (the Common Vulnerability Scoring Standard). Please note these are general guidelines and that reward decisions are up to the discretion of Spacelift.

Program Rules

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Don't contact/send payloads against contact forms (especially HubSpot ones), there are people behind - it's annoying.
  • Denial of service (DoS) attacks on Spacelift.io applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate a large amounts of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial, or otherwise, is allowed.

Reward Eligibility

  • Only the preproduction environment is within the scope of the bounty program https://*.spacelift.dev/
  • Do not collect any personally identifiable information or authentication information from other Spacelift clients.
  • Do not destroy or alter discovered data.
  • Do not inappropriately store Spacelift information in public locations, i.e., GitHub.
  • Do not intentionally harm other users as well as their experience.
  • Do not publicly or privately disclose any vulnerabilities belonging to Spacelift - existing or remediated – to anyone other than Spacelift.
  • Only submit vulnerability reports using the YesWeHack platform.
  • A bounty is only eligible for a payout if the exploited vulnerability is unknown and can be reproduced.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per the report unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g., phishing, vishing, smishing) is prohibited.
  • Limit automation/rate scraping to 100 requests per minute.
  • Employers/Contractors can participate, excluding functionalities/code written by themself.

Submission Requirements

Reward amounts are based on:

  • Reward grid of the report's scope
  • CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

You can check our documentation here

In Scope

Scope Type Scope Name
application

MFA
application

Native K8S workers and operator
application

OIDC-based API keys
web_application

https://*.app.spacelift.dev
web_application

https://spacelift.dev/

Out of Scope

Scope Type Scope Name
undefined

Contact form (especially HubSpot ones)
undefined

Any other Spacelift assets not specifically listed as in-scope.
undefined

Any communication with Spacelift colleagues.
undefined

Attacks against any account other than the specified target accounts.
undefined

Data breaches or credential dumps.
undefined

Third-party companies that perform business transactions for Spacelift
undefined

Session keeps using old user group permissions if user group permissions are changed during a given session's lifespan

This policy crawled by Onyphe on the 2023-06-13 is sorted as bounty.

FireBounty © 2015-2025

Legal notices | Privacy policy