Program Removed

This program is no longer available on YesWeHack. The scope data shown below is historical and may not reflect the final state of the program.

spacelift-io-bug-bounty-program

YesWeHackView on YesWeHack

RawAI Enhanced

In Scope

Out of Scope

In-Scope Assets (6)

Asset	Category	Bounty	Quick Links
app.spacelift.dev	WILDCARD	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://spacelift.dev/	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
mfa	OTHER	Yes	-
native k8s workers and operator	OTHER	Yes	-
oidc-based api keys	OTHER	Yes	-
spacelift intent	OTHER	Yes	-

Out-of-Scope Assets (8)

Asset	Category	Bounty
any communication with spacelift colleagues	OTHER	Yes
any other spacelift assets not specifically listed as in-scope	OTHER	Yes
attacks against any account other than the specified target accounts	OTHER	Yes
bypasses of user or api key creation limits (including via race conditions or business logic issues)	OTHER	Yes
contact form (especially hubspot ones)	OTHER	Yes
data breaches or credential dumps	OTHER	Yes
session keeps using old user group permissions if user group permissions are changed during a given session's lifespan	OTHER	Yes
third-party companies that perform business transactions for spacelift	OTHER	Yes

Scope Changes (51)

Mar 19, 2026

Change	Asset	Category	Scope	Time
Program Removed	—	—	—	23:39

Feb 25, 2026

Change	Asset	Category	Scope	Time
Added	any other spacelift assets not specifically listed as in-scope	OTHER	Out of Scope	19:08
Added	contact form (especially hubspot ones)	OTHER	Out of Scope	19:08
Added	native k8s workers and operator	OTHER	In Scope	19:08
Added	spacelift intent	OTHER	In Scope	19:08
Added	*.app.spacelift.dev	WILDCARD	In Scope	19:08
Added	third-party companies that perform business transactions for spacelift	OTHER	Out of Scope	19:08
Added	data breaches or credential dumps	OTHER	Out of Scope	19:08
Added	any communication with spacelift colleagues	OTHER	Out of Scope	19:08
Added	bypasses of user or api key creation limits (including via race conditions or business logic issues)	OTHER	Out of Scope	19:08
Added	session keeps using old user group permissions if user group permissions are changed during a given session's lifespan	OTHER	Out of Scope	19:08
Added	mfa	OTHER	In Scope	19:08
Added	oidc-based api keys	OTHER	In Scope	19:08
Added	attacks against any account other than the specified target accounts	OTHER	Out of Scope	19:08
Added	https://spacelift.dev/	URL	In Scope	19:08

Feb 22, 2026

Change	Asset	Category	Scope	Time
Added	session keeps using old user group permissions if user group permissions are changed during a given session's lifespan	OTHER	Out of Scope	00:51
Added	any communication with spacelift colleagues	OTHER	Out of Scope	00:51
Added	attacks against any account other than the specified target accounts	OTHER	Out of Scope	00:51
Added	spacelift intent	OTHER	In Scope	00:51
Added	native k8s workers and operator	OTHER	In Scope	00:51
Added	oidc-based api keys	OTHER	In Scope	00:51
Added	any other spacelift assets not specifically listed as in-scope	OTHER	Out of Scope	00:51
Added	data breaches or credential dumps	OTHER	Out of Scope	00:51
Added	third-party companies that perform business transactions for spacelift	OTHER	Out of Scope	00:51
Added	https://spacelift.dev/	URL	In Scope	00:51
Added	*.app.spacelift.dev	WILDCARD	In Scope	00:51
Added	mfa	OTHER	In Scope	00:51
Added	bypasses of user or api key creation limits (including via race conditions or business logic issues)	OTHER	Out of Scope	00:51
Added	contact form (especially hubspot ones)	OTHER	Out of Scope	00:51

Feb 21, 2026

Change	Asset	Category	Scope	Time
Removed	third-party companies that perform business transactions for spacelift	OTHER	Out of Scope	21:40
Removed	data breaches or credential dumps	OTHER	Out of Scope	21:40
Removed	attacks against any account other than the specified target accounts	OTHER	Out of Scope	21:40
Removed	any communication with spacelift colleagues	OTHER	Out of Scope	21:40
Removed	any other spacelift assets not specifically listed as in-scope	OTHER	Out of Scope	21:40
Removed	contact form (especially hubspot ones)	OTHER	Out of Scope	21:40
Removed	bypasses of user or api key creation limits (including via race conditions or business logic issues)	OTHER	Out of Scope	21:40
Removed	session keeps using old user group permissions if user group permissions are changed during a given session's lifespan	OTHER	Out of Scope	21:40
Removed	mfa	OTHER	In Scope	21:40
Removed	oidc-based api keys	OTHER	In Scope	21:40
Removed	native k8s workers and operator	OTHER	In Scope	21:40
Removed	spacelift intent	OTHER	In Scope	21:40
Removed	*.app.spacelift.dev	URL	In Scope	21:40
Removed	https://spacelift.dev/	URL	In Scope	21:40
Added	session keeps using old user group permissions if user group permissions are changed during a given session's lifespan	OTHER	Out of Scope	00:33
Added	bypasses of user or api key creation limits (including via race conditions or business logic issues)	OTHER	Out of Scope	00:33
Added	contact form (especially hubspot ones)	OTHER	Out of Scope	00:33
Added	any other spacelift assets not specifically listed as in-scope	OTHER	Out of Scope	00:33
Added	any communication with spacelift colleagues	OTHER	Out of Scope	00:33
Added	attacks against any account other than the specified target accounts	OTHER	Out of Scope	00:33
Added	data breaches or credential dumps	OTHER	Out of Scope	00:33
Added	third-party companies that perform business transactions for spacelift	OTHER	Out of Scope	00:33