Dynatrace icon Dynatrace HackerOne

Target Policy
https://hackerone.com/dynatrace?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • Dynatrace ActiveGate

    ActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. For more details please have a look at the Useful tips section of the policy or our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate).

    DOWNLOADABLE_EXECUTABLES
    critical
  • *.sprint.apps.dynatracelabs.com

    Wildcard domain for your Dynatrace Platform environment, sometimes also called 3rd gen.
    This is your default testing environment. Once you request your testing environment you will be redirected to this environment.

    API endpoints:
    - <environment-id>.sprint.apps.dynatracelabs.com/platform/swagger-ui/index.html

    How to Switch Between APIs:
    1. Navigate to the top right corner of the page.
    2. Locate the drop-down box next to "Select a Definition."
    3. Click on the drop-down box.
    4. Choose the desired API from the available options.

    WILDCARD
    critical
  • sso-sprint.dynatracelabs.com

    This domain is used in our single sign on solution, you will see the domain for example during the login process.

    URL
    critical
  • *.sprint.dynatracelabs.com

    Wildcard domain for your 2nd gen testing environments - an older but fully supported and regularly updated version of our product.

    To get there, follow the steps described in our Policy page under "how to access your 2nd gen environment"

    API endpoints:
    * <environment-id>.sprint.dynatracelabs.com/rest-api-doc/index.jsp

    How to Switch Between APIs:
    1. Navigate to the top right corner of the page.
    2. Locate the drop-down box next to "Select a Definition."
    3. Click on the drop-down box.
    4. Choose the desired API from the available options.

    WILDCARD
    critical
  • Dynatrace OneAgent

    OneAgent is responsible for collecting all monitoring data within your environment.
    For more details please have a look at the "Useful tips" section of the policy or our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation).

    DOWNLOADABLE_EXECUTABLES
    critical
  • Tier 1

    This is not an actual asset. It only serves to make the bounty table more understandable. Assets which are in Tier 1 have a high security standard and are rewarded with a higher bounty.

    OTHER
    critical
  • https://github.com/Dynatrace

    Please note that only following repositories are in scope:
    - [OneAgent-Ansible](https://github.com/Dynatrace/Dynatrace-OneAgent-Ansible)
    - [configuration-as-code](https://github.com/Dynatrace/dynatrace-configuration-as-code)
    - [configuration-as-code-core](https://github.com/Dynatrace/dynatrace-configuration-as-code-core)
    - [dynatrace-operator](https://github.com/Dynatrace/dynatrace-operator)
    - [dynatrace-otel-collector](https://github.com/Dynatrace/dynatrace-otel-collector)
    - [heroku-buildpack-dynatrace](https://github.com/Dynatrace/heroku-buildpack-dynatrace)
    - [backstage-plugin](https://github.com/Dynatrace/backstage-plugin)
    - [swift-mobile-sdk](https://github.com/Dynatrace/swift-mobile-sdk)
    - [dynatrace-bootstrapper](https://github.com/Dynatrace/dynatrace-bootstrapper)
    - [OneAgent-SDK-for-Java](https://github.com/Dynatrace/OneAgent-SDK-for-Java)
    - [openkit-js](https://github.com/Dynatrace/openkit-js)
    - [agent-nodejs](https://github.com/Dynatrace/agent-nodejs)
    - [Log-Security-Rules-Checker](https://github.com/Dynatrace/Dynatrace-Log-Security-Rules-Checker)

    Do not perform any tests against [https://github.com.](https://github.com/).

    SOURCE_CODE
    critical
  • All Other Assets

    Used for asset classification only, please have a look at the policy page or the rewards section.

    OTHER
    none
  • easyTravel demo application

    This is a demo application which helps you fill your testing environment with data. For more details please have a look at the "Useful tips" section of the policy or our [community page](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271).

    DOWNLOADABLE_EXECUTABLES
    none
  • Dynatrace Synthetic

    Dynatrace Synthetic can be found in the regular Tenant UI (under the Synthetic tab in the left-hand menu pane). Fore more information on DT Synthetic, please visit https://www.dynatrace.com/support/help/how-to-use-dynatrace/synthetic-monitoring/

    OTHER
    critical
  • Tier 2
    OTHER
    critical
  • http://*.sprint.dynatracelabs.com

    Please only test the domain you have retrieved from Hackerone's credential manager. Our subdomains follow a specific format - LLLNNNNN (3 lowercase letters, 5 numbers). Only test the domain listed under "TenantURL".

    WILDCARD
    critical
  • https://github.com/Dynatrace-oss-contrib

    Please be aware that only analysis of our source code is allowed. Do not perform any tests against [https://github.com.](https://github.com/).

    SOURCE_CODE
    none
  • account-sprint.dynatracelabs.com

    This is the old domain for our account management, the new domain is myaccount-hardening.dynatracelabs.com. Since the domain is still used in some parts of our software, it is still in scope.

    URL
    critical
  • Core Assets

    Used for asset classification only, please have a look at the policy page or the rewards section.

    OTHER
    critical
  • myaccount-hardening.dynatracelabs.com

    Myaccount is the place where you can manage your license, subscriptions, users, groups, policies and more.
    For more details please have a look at the "Useful tips" section of the policy or our [support page](https://www.dynatrace.com/support/help/manage/account-management).

    API endpoints:
    - https://api-hardening.internal.dynatracelabs.com/spec/

    URL
    critical
  • All other Assets

    Used for asset classification only, please have a look at the policy page or the rewards section.

    OTHER
    critical
  • https://github.com/keptn

    Please be aware that only analysis of our source code is allowed. Do not perform any tests against [https://github.com.](https://github.com/)

    SOURCE_CODE
    critical
  • *.dynatrace.com

    This is our corporate website and it is out of scope of this program.

    WILDCARD
    none
  • Dynatrace MobileAgent

    The MobileAgent can be used to monitor Android or IOs apps.
    For more details please have a look at the "Useful tips" section of the policy or our [support page](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications).

    DOWNLOADABLE_EXECUTABLES
    critical
  • https://github.com/Dynatrace-innovationlab

    Please be aware that only analysis of our source code is allowed. Do not perform any tests against [https://github.com.](https://github.com/).

    SOURCE_CODE
    critical
  • university-staging.dynatracelabs.com

    University is a learning platform which offers courses that help improve your knowledge about Dynatrace. Use the "**University Login**" button and your already claimed credentials.

    URL
    critical
Target Scope Domains
  • account-sprint.dynatracelabs.com
  • myaccount-hardening.dynatracelabs.com
  • sprint.apps.dynatracelabs.com
  • sprint.dynatracelabs.com
  • sso-sprint.dynatracelabs.com
  • university-staging.dynatracelabs.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kor
allkxss
2 weeks, 6 days ago
Finished
auto-gausubs-2-kor
  • Fleet: allkxss
  • Duration: 23 Seconds
  • Finished: 2 weeks, 6 days ago