Spacelift.io - Bug Bounty Program

About

Please keep the testing scope *only .app.spacelift.dev and spacelift.dev are included
Please do not test the contact forms (especially HubSpot** one)

Features in 20% Bonus scope

1. Native K8S workers to manage these worker pools efficiently and K8S operators to manage Spacelift resources.
   Reference: https://docs.spacelift.io/vendors/kubernetes/getting-started
   Reference: https://docs.spacelift.io/integrations/kubernetes/operator

2. The OIDC-based API keys can be used as an alternative to secret-based ones today.
   Reference: https://docs.spacelift.io/integrations/api.html#oidc-based-api-keys

3. The MFA feature allows you to protect your external IdP session using security keys (FIDO2) managed in Spacelift. Even if your IDP account is compromised, it brings your identity as the last line of defense.
   Reference: https://spacelift-user-documentation-pr-396.onrender.com/product/security/mfa.html#multi-factor-authentication-mfa

For those features, all payouts will be increased by 20%

Bounty Program

At Spacelift, your security is our first and foremost priority. We're aware of the utmost importance of security in our service, and we're grateful for your trust. Here's what we're doing to earn and maintain this trust and to keep Spacelift secure by design. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!

In-scope vulnerabilities will be rewarded based on severity following remediation. The Spacelift private bug bounty program accepts vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. By participating in the Spacelift private bounty program you agree to follow all of the requirements below. We look forward to working with you to find security vulnerabilities in order to keep our businesses and customers safe. We’ll try to keep you informed about our progress throughout the process.

Rewards

We offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. Our rewards are based on severity per CVSS v3.0 (the Common Vulnerability Scoring Standard). Please note these are general guidelines and that reward decisions are up to the discretion of Spacelift.

Program Rules

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Don't contact/send payloads against contact forms (especially HubSpot ones), there are people behind - it's annoying.
• Denial of service (DoS) attacks on Spacelift.io applications, servers, networks or infrastructure are strictly forbidden.
• Avoid tests that could cause degradation or interruption of our services.
• Do not use automated scanners or tools that generate a large amounts of network traffic.
• Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
• Do not copy any files from our applications/servers and disclose them.
• No vulnerability disclosure, full, partial, or otherwise, is allowed.

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:

• Exposed credentials in/from an out-of-scope asset/source
• Sensitive information exposed in/from an out-of-scope asset/source

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources (e.g. …)
• Exposed credentials that are not applicable on the program’s scope
• Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
• Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
• Exposed PII on an out-of-scope asset

To summarize our policy, you may refer to this table :

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

• DO NOT alter compromised accounts by creating, deleting or modifying any data
• DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
• In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Reward Eligibility

• Only the preproduction environment is within the scope of the bounty program https://*.spacelift.dev/
• Do not collect any personally identifiable information or authentication information from other Spacelift clients.
• Do not destroy or alter discovered data.
• Do not inappropriately store Spacelift information in public locations, i.e., GitHub.
• Do not intentionally harm other users as well as their experience.
• Do not publicly or privately disclose any vulnerabilities belonging to Spacelift - existing or remediated – to anyone other than Spacelift.
• Only submit vulnerability reports using the YesWeHack platform.
• A bounty is only eligible for a payout if the exploited vulnerability is unknown and can be reproduced.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per the report unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g., phishing, vishing, smishing) is prohibited.
• Limit automation/rate scraping to 100 requests per minute.
• Employers/Contractors can participate, excluding functionalities/code written by themself.

Submission Requirements

Reward amounts are based on:

• Reward grid of the report's scope
• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

You can check our documentation here