avatar
Bug bounty
Public

Spacelift.io - Bug Bounty Program

Spacelift is a sophisticated CI/CD platform for Terraform, CloudFormation, Pulumi, and Kubernetes

Reward

Bounty
Hall of fame
$50
Low
$120
Medium
$600
High
$1,440
Critical
$3,600

Program

Avg reward
-
Max reward
-
Scopes
5

Supported languages
English
Polish

Hacktivity

Reports
185
1st response
< 1 day
Reports last 24h
1
Reports last week
10
Reports this month
-

About

Please keep the testing scope *only .app.spacelift.dev and spacelift.dev are included
Please
do not test the contact forms (especially HubSpot** one)

Features in 20% Bonus scope

  1. Native K8S workers to manage these worker pools efficiently and K8S operators to manage Spacelift resources.
    Reference: https://docs.spacelift.io/vendors/kubernetes/getting-started
    Reference: https://docs.spacelift.io/integrations/kubernetes/operator

  2. The OIDC-based API keys can be used as an alternative to secret-based ones today.
    Reference: https://docs.spacelift.io/integrations/api.html#oidc-based-api-keys

  3. The MFA feature allows you to protect your external IdP session using security keys (FIDO2) managed in Spacelift. Even if your IDP account is compromised, it brings your identity as the last line of defense.
    Reference: https://spacelift-user-documentation-pr-396.onrender.com/product/security/mfa.html#multi-factor-authentication-mfa

For those features, all payouts will be increased by 20%

Bounty Program

At Spacelift, your security is our first and foremost priority. We're aware of the utmost importance of security in our service, and we're grateful for your trust. Here's what we're doing to earn and maintain this trust and to keep Spacelift secure by design. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!

In-scope vulnerabilities will be rewarded based on severity following remediation. The Spacelift private bug bounty program accepts vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. By participating in the Spacelift private bounty program you agree to follow all of the requirements below. We look forward to working with you to find security vulnerabilities in order to keep our businesses and customers safe. We’ll try to keep you informed about our progress throughout the process.

Rewards

We offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. Our rewards are based on severity per CVSS v3.0 (the Common Vulnerability Scoring Standard). Please note these are general guidelines and that reward decisions are up to the discretion of Spacelift.

Program Rules

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Don't contact/send payloads against contact forms (especially HubSpot ones), there are people behind - it's annoying.
  • Denial of service (DoS) attacks on Spacelift.io applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate a large amounts of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial, or otherwise, is allowed.

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:

  • Exposed credentials in/from an out-of-scope asset/source
  • Sensitive information exposed in/from an out-of-scope asset/source

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources (e.g. …)
  • Exposed credentials that are not applicable on the program’s scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
  • Exposed PII on an out-of-scope asset

To summarize our policy, you may refer to this table :

Source of leak is in-scope Source of leak belongs to Spacelift but is out-of-scope Source of leak does not belong to Spacelift and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not Eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not Eligible Not Eligible

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Reward Eligibility

  • Only the preproduction environment is within the scope of the bounty program https://*.spacelift.dev/
  • Do not collect any personally identifiable information or authentication information from other Spacelift clients.
  • Do not destroy or alter discovered data.
  • Do not inappropriately store Spacelift information in public locations, i.e., GitHub.
  • Do not intentionally harm other users as well as their experience.
  • Do not publicly or privately disclose any vulnerabilities belonging to Spacelift - existing or remediated – to anyone other than Spacelift.
  • Only submit vulnerability reports using the YesWeHack platform.
  • A bounty is only eligible for a payout if the exploited vulnerability is unknown and can be reproduced.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per the report unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g., phishing, vishing, smishing) is prohibited.
  • Limit automation/rate scraping to 100 requests per minute.
  • Employers/Contractors can participate, excluding functionalities/code written by themself.

Submission Requirements

Reward amounts are based on:

  • Reward grid of the report's scope
  • CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

You can check our documentation here


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
High
$120$600$1,440$3,600
Low
$100$500$1,200$3,000

Scopes

ScopeTypeAsset value
https://spacelift.dev/ Web application
Low
Low
$100
Medium
$500
High
$1,200
Critical
$3,000
https://*.app.spacelift.dev Web application
Low
Low
$100
Medium
$500
High
$1,200
Critical
$3,000
Native K8S workers and operator Application
High
Low
$120
Medium
$600
High
$1,440
Critical
$3,600
OIDC-based API keys Application
High
Low
$120
Medium
$600
High
$1,440
Critical
$3,600
MFA Application
High
Low
$120
Medium
$600
High
$1,440
Critical
$3,600

Out of scopes

  • Session keeps using old user group permissions if user group permissions are changed during a given session's lifespan
  • Contact form (especially HubSpot ones)
  • Any other Spacelift assets not specifically listed as in-scope.
  • Any communication with Spacelift colleagues.
  • Attacks against any account other than the specified target accounts.
  • Data breaches or credential dumps.
  • Third-party companies that perform business transactions for Spacelift

Vulnerability types

Qualifying vulnerabilities

  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE) after container escape
  • Horizontal and vertical privilege escalation
  • Authentication bypass & broken authentication
  • Business Logic Errors vulnerability with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, XSPA)
  • Cross-Origin Resource Sharing (CORS) with real security impact
  • Cross-site Request Forgery (CSRF) with real security impact
  • Open Redirect
  • Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes

Non-qualifying vulnerabilities

  • Remote Code Execution (RCE) on the worker level.
  • Importing executable files is possible by design. However, working PoC against the application will be accepted
  • All SSRFs are currently excluded from the scope as we are redesigning the way of handling them.
  • Broken Link/Social media Hijacking
  • Tabnabbing
  • Missing cookie flags
  • Content/Text injections
  • Clickjacking/UI redressing
  • Denial of Service (DoS) attacks
  • Recently disclosed CVEs (less than 30 days sinces patch release)
  • CVEs without exploitable vulnerabilities and PoC
  • Open ports or services without exploitable vulnerabilities and PoC
  • Social engineering of staff or contractors
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers or platforms
  • Self-XSS or XSS that cannot be used to impact other users
  • Any hypothetical flaw or best practices without exploitable vulnerabilities and PoC
  • SSL/TLS issues (e.g. expired certificates, best practices)
  • Unexploitable vulnerabilities (e.g. Self-XSS, XSS or Open Redirect through HTTP headers...)
  • Reports with attack scenarios requiring MITM or physical access to victim's device
  • Missing security-related HTTP headers which do not lead directly to an exploitable vulnerability and PoC
  • Low severity Cross-Site Request Forgery (CSRF) (e.g. Unauthenticated / Logout / Login / Products cart updates...)
  • Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
  • Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
  • Disclosure of information without exploitable vulnerabilities and PoC (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets, EXIF Metadata, Origin IP)
  • CSV injection
  • Malicious file upload (e.g. EICAR files, .EXE)
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full exploitable vulnerability and PoC or not applicable to the scope
  • Blind SSRF without exploitable vulnerabilities and PoC (e.g. DNS & HTTP pingback, Wordpress XMLRPC)
  • Lack or bypass of rate-limiting, brute-forcing or captcha issues
  • User enumeration (e.g. email, alias, GUID, phone number, common CMS endpoints)
  • Weak password policies (e.g. length, complexity, reuse)
  • Ability to spam users (email / SMS / direct messages flooding)
  • Disclosed or misconfigured public API keys (e.g. Google Maps, Firebase, analytics tools...)
  • Password reset token sent via HTTP referer to external services (e.g. analytics / ads platforms)
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
  • Pre-account takeover (e.g. account creation via oAuth)
  • GraphQL Introspection is enabled

Hunting requirements

Account access

Spacelift.dev App

Please use your GitHub, Google, Gitlab, or Microsoft account associated with YesWeHack email aliases, which are available here for account creation.

We ask you to include the email as an email-alias in the X-BugBounty header.

User agent

Please append to your user-agent header the following value: ' X-BugBounty-email-alias '.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.