spacelift-io-bug-bounty-program
6
In Scope
8
Out of Scope
In-Scope Assets (6)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| MFA | OTHER | Yes | - | |
| Native K8S workers and operator | OTHER | Yes | - | |
| OIDC-based API keys | OTHER | Yes | - | |
| Spacelift Intent | OTHER | Yes | - | |
| https://*.app.spacelift.dev | URL | Yes | ||
| https://spacelift.dev/ | URL | Yes |
Out-of-Scope Assets (8)
| Asset | Category | Bounty | |
|---|---|---|---|
| Any communication with Spacelift colleagues. | OTHER | Yes | |
| Any other Spacelift assets not specifically listed as in-scope. | OTHER | Yes | |
| Attacks against any account other than the specified target accounts. | OTHER | Yes | |
| Bypasses of user or API key creation limits (including via race conditions or business logic issues) | OTHER | Yes | |
| Contact form (especially HubSpot ones) | OTHER | Yes | |
| Data breaches or credential dumps. | OTHER | Yes | |
| Session keeps using old user group permissions if user group permissions are changed during a given session's lifespan | OTHER | Yes | |
| Third-party companies that perform business transactions for Spacelift | OTHER | Yes |
Scope Changes (50)
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | https://spacelift.dev/ | URL | In Scope | 19:08 |
| Added | oidc-based api keys | OTHER | In Scope | 19:08 |
| Added | mfa | OTHER | In Scope | 19:08 |
| Added | session keeps using old user group permissions if user group permissions are changed during a given session's lifespan | OTHER | Out of Scope | 19:08 |
| Added | bypasses of user or api key creation limits (including via race conditions or business logic issues) | OTHER | Out of Scope | 19:08 |
| Added | any communication with spacelift colleagues | OTHER | Out of Scope | 19:08 |
| Added | data breaches or credential dumps | OTHER | Out of Scope | 19:08 |
| Added | third-party companies that perform business transactions for spacelift | OTHER | Out of Scope | 19:08 |
| Added | *.app.spacelift.dev | WILDCARD | In Scope | 19:08 |
| Added | spacelift intent | OTHER | In Scope | 19:08 |
| Added | native k8s workers and operator | OTHER | In Scope | 19:08 |
| Added | contact form (especially hubspot ones) | OTHER | Out of Scope | 19:08 |
| Added | any other spacelift assets not specifically listed as in-scope | OTHER | Out of Scope | 19:08 |
| Added | attacks against any account other than the specified target accounts | OTHER | Out of Scope | 19:08 |
Feb 22, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | any communication with spacelift colleagues | OTHER | Out of Scope | 00:51 |
| Added | attacks against any account other than the specified target accounts | OTHER | Out of Scope | 00:51 |
| Added | spacelift intent | OTHER | In Scope | 00:51 |
| Added | native k8s workers and operator | OTHER | In Scope | 00:51 |
| Added | oidc-based api keys | OTHER | In Scope | 00:51 |
| Added | any other spacelift assets not specifically listed as in-scope | OTHER | Out of Scope | 00:51 |
| Added | data breaches or credential dumps | OTHER | Out of Scope | 00:51 |
| Added | third-party companies that perform business transactions for spacelift | OTHER | Out of Scope | 00:51 |
| Added | https://spacelift.dev/ | URL | In Scope | 00:51 |
| Added | *.app.spacelift.dev | WILDCARD | In Scope | 00:51 |
| Added | mfa | OTHER | In Scope | 00:51 |
| Added | session keeps using old user group permissions if user group permissions are changed during a given session's lifespan | OTHER | Out of Scope | 00:51 |
| Added | bypasses of user or api key creation limits (including via race conditions or business logic issues) | OTHER | Out of Scope | 00:51 |
| Added | contact form (especially hubspot ones) | OTHER | Out of Scope | 00:51 |
Feb 21, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Removed | data breaches or credential dumps | OTHER | Out of Scope | 21:40 |
| Removed | *.app.spacelift.dev | URL | In Scope | 21:40 |
| Removed | spacelift intent | OTHER | In Scope | 21:40 |
| Removed | native k8s workers and operator | OTHER | In Scope | 21:40 |
| Removed | oidc-based api keys | OTHER | In Scope | 21:40 |
| Removed | mfa | OTHER | In Scope | 21:40 |
| Removed | session keeps using old user group permissions if user group permissions are changed during a given session's lifespan | OTHER | Out of Scope | 21:40 |
| Removed | bypasses of user or api key creation limits (including via race conditions or business logic issues) | OTHER | Out of Scope | 21:40 |
| Removed | contact form (especially hubspot ones) | OTHER | Out of Scope | 21:40 |
| Removed | any other spacelift assets not specifically listed as in-scope | OTHER | Out of Scope | 21:40 |
| Removed | any communication with spacelift colleagues | OTHER | Out of Scope | 21:40 |
| Removed | attacks against any account other than the specified target accounts | OTHER | Out of Scope | 21:40 |
| Removed | https://spacelift.dev/ | URL | In Scope | 21:40 |
| Removed | third-party companies that perform business transactions for spacelift | OTHER | Out of Scope | 21:40 |
| Added | session keeps using old user group permissions if user group permissions are changed during a given session's lifespan | OTHER | Out of Scope | 00:33 |
| Added | bypasses of user or api key creation limits (including via race conditions or business logic issues) | OTHER | Out of Scope | 00:33 |
| Added | contact form (especially hubspot ones) | OTHER | Out of Scope | 00:33 |
| Added | any other spacelift assets not specifically listed as in-scope | OTHER | Out of Scope | 00:33 |
| Added | any communication with spacelift colleagues | OTHER | Out of Scope | 00:33 |
| Added | attacks against any account other than the specified target accounts | OTHER | Out of Scope | 00:33 |
| Added | data breaches or credential dumps | OTHER | Out of Scope | 00:33 |
| Added | third-party companies that perform business transactions for spacelift | OTHER | Out of Scope | 00:33 |