spacelift-io-bug-bounty-program
YesWeHackView on YesWeHack
6
In Scope
8
Out of Scope
In-Scope Assets (6)
| Asset | Category | Quick Links | |
|---|---|---|---|
| MFA | OTHER | - | |
| Native K8S workers and operator | OTHER | - | |
| OIDC-based API keys | OTHER | - | |
| Spacelift Intent | OTHER | - | |
| https://*.app.spacelift.dev | URL | ||
| https://spacelift.dev/ | URL |
Out-of-Scope Assets (8)
| Asset | Category | |
|---|---|---|
| Any communication with Spacelift colleagues. | OTHER | |
| Any other Spacelift assets not specifically listed as in-scope. | OTHER | |
| Attacks against any account other than the specified target accounts. | OTHER | |
| Bypasses of user or API key creation limits (including via race conditions or business logic issues) | OTHER | |
| Contact form (especially HubSpot ones) | OTHER | |
| Data breaches or credential dumps. | OTHER | |
| Session keeps using old user group permissions if user group permissions are changed during a given session's lifespan | OTHER | |
| Third-party companies that perform business transactions for Spacelift | OTHER |