Target Policy

Structured Scope

• Asset Identifier

  Asset Type

  Max Severity

• https://github.com/elastic/logstash

  SOURCE_CODE

  critical
• elastic-cloud.com

  URL

  critical
• https://github.com/elastic/kibana

  SOURCE_CODE

  critical
• https://github.com/elastic/elasticsearch

  ---

  This includes the codebase and the running application

  SOURCE_CODE

  critical
• Beats - Auditbeat

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/beats/auditbeat
  - Docker container: https://www.docker.elastic.co/r/beats/auditbeat
  - Source code: https://github.com/elastic/beats/tree/main/auditbeat

  DOWNLOADABLE_EXECUTABLES

  critical
• elasticsearch-ci.elastic.co

  ---

  This includes:
  - https://apm-ci.elastic.co/
  - https://beats-ci.elastic.co/
  - https://clients-ci.elastic.co/
  - https://cloud-ci.elastic.co/
  - https://devops-ci.elastic.co/
  - https://elasticsearch-ci.elastic.co/
  - https://infra-ci.elastic.co/
  - https://internal-ci.elastic.co/
  - https://kibana-ci.elastic.co/
  - https://logstash-ci.elastic.co/
  - https://swiftype-ci.elastic.co/

  Our CI infrastructure is public on purpose as we are an open organization. We do not accept reports of the CI instance being public, it's not an accident.

  We also don't build our releases with these CI instances, this helps us avoid critical findings on these systems.

  Some examples of reports we will accept:
  * leaked credentials (actual leaks, not theoretical leaks because the CI is public).
  * Outdated CI instances with known vulnerabilities
  * Misconfigured CI instances that could allow an attacker to do something unexpected

  URL

  critical
• https://github.com/elastic/beats

  SOURCE_CODE

  critical
• *.elastic-cloud.com

  WILDCARD

  critical
• info.elastic.co

  URL

  none
• Fleet Server

  ---

  Setup (Included in Elastic Cloud): https://www.elastic.co/guide/en/fleet/8.8/fleet-server.html
  Source: https://github.com/elastic/fleet-server

  DOWNLOADABLE_EXECUTABLES

  critical
• *.ctf.elstc.co

  WILDCARD

  none
• other

  ---

  If you found something that we own that is not explicitly listed as in-scope, please file it under this asset for us to investigate. We don't want our scope section to stop you from finding us vulnerabilities!

  OTHER

  critical
• Software Supply Chain

  ---

  Includes threats highlighted by SLSA https://slsa.dev/spec/v0.1/threats

  - Source
  - Build
  - Dependencies
  - Package

  Specifically

  - Github Workflows @ https://github.com/elastic - look under the .github/workflows directory
  - Dependency Confusion
  - Actual credential exfiltration or leaks (not theoretical) from build services (below)
  - Command injection against build service

  **Build Services**

  Buildkite - https://buildkite.com/elastic

  Github Actions - https://github.com/elastic/

  Jenkins
  - https://elasticsearch-ci.elastic.co
  - https://apm-ci.elastic.co/
  - https://beats-ci.elastic.co/
  - https://clients-ci.elastic.co/
  - https://cloud-ci.elastic.co/
  - https://devops-ci.elastic.co/
  - https://elasticsearch-ci.elastic.co/
  - https://infra-ci.elastic.co/
  - https://internal-ci.elastic.co/
  - https://kibana-ci.elastic.co/
  - https://logstash-ci.elastic.co/
  - https://swiftype-ci.elastic.co/

  OTHER

  critical
• Elastic Clients

  ---

  Includes

  - Java Client: https://www.elastic.co/guide/en/elasticsearch/client/java-api-client/current/index.html
  - JavaScript Client: https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/index.html
  - Ruby Client: https://www.elastic.co/guide/en/elasticsearch/client/ruby-api/current/index.html
  - Go Client: https://www.elastic.co/guide/en/elasticsearch/client/go-api/current/index.html
  - .NET Client: https://www.elastic.co/guide/en/elasticsearch/client/net-api/current/index.html
  - PHP Client: https://www.elastic.co/guide/en/elasticsearch/client/php-api/current/index.html
  - Perl Client: https://www.elastic.co/guide/en/elasticsearch/client/perl-api/current/index.html
  - Python Client: https://www.elastic.co/guide/en/elasticsearch/client/python-api/current/index.html
  - Eland Client: https://www.elastic.co/guide/en/elasticsearch/client/eland/current/index.html
  - Rust Client: https://www.elastic.co/guide/en/elasticsearch/client/rust-api/current/index.html
  

  OTHER

  critical
• Elastic Maps Server

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - Download: https://www.elastic.co/downloads/elastic-maps-server

  DOWNLOADABLE_EXECUTABLES

  critical
• Elastic Synthetics Monitoring

  ---

  To get access, do the following steps:

  1. Create a new Observability deployment on cloud.elastic.co using an account with your @wearehackerone.com email alias.
  2. See https://www.elastic.co/docs/solutions/observability/synthetics/create-monitors-ui to set up a monitor

  OTHER

  critical
• Observability - APM Agents

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - .NET Agent: https://www.elastic.co/guide/en/apm/agent/dotnet/current/setup.html
  - .NET Agent Source: https://github.com/elastic/apm-agent-dotnet
  - Java Agent: https://www.elastic.co/guide/en/apm/agent/java/current/setup.html
  - Java Agent Source: https://github.com/elastic/apm-agent-java
  - JavaScript RUM Agent: https://www.elastic.co/guide/en/apm/agent/rum-js/current/getting-started.html
  - JavaScript RUM Agent Source: https://github.com/elastic/apm-agent-rum-js
  - Go Agent: https://www.elastic.co/guide/en/apm/agent/go/current/getting-started.html
  - Go Agent Source: https://github.com/elastic/apm-agent-go
  - Node.js Agent: https://www.elastic.co/guide/en/apm/agent/nodejs/current/set-up.html
  - Node.js Agent Source: https://github.com/elastic/apm-agent-nodejs
  - PHP Agent: https://www.elastic.co/guide/en/apm/agent/php/current/setup.html
  - PHP Agent Source: https://github.com/elastic/apm-agent-php
  - Python Agent: https://www.elastic.co/guide/en/apm/agent/python/current/set-up.html
  - Python Agent Source: https://github.com/elastic/apm-agent-python
  - Ruby Agent: https://www.elastic.co/guide/en/apm/agent/ruby/current/set-up.html
  - Ruby Agent Source: https://github.com/elastic/apm-agent-ruby

  DOWNLOADABLE_EXECUTABLES

  critical
• Elastic Defend

  ---

  Elastic Defend provides organizations with prevention, detection, and response capabilities with deep visibility for EPP, EDR, SIEM, and Security Analytics use cases across Windows, macOS, and Linux operating systems running on both traditional endpoints and public cloud environments.

  In-Scope:

  * Local Privilege Escalation (LPE): Any finding that allows an attacker with lower-privilege to execute code or gain privileges as a higher-privileged user e.g. from a standard user to SYSTEM or administrator.
  * Confidentiality of Data: An non-administrative local or unauthorized remote attacker can view Elastic Defend logs or events.
  * Unauthorized of Command and Control: An non-administrative local or unauthorized remote attacker can configure or control Elastic Defend through a mechanism such as response actions or policy updates.
  * System Crash from Unprivileged User: If the actions of a non-administrative user can cause Elastic Defend to bug check the system, we want to know about and fix this. Note that this does not apply to administrators, since administrators can already change system/driver configuration and/or modify kernel memory.

  Out-of-Scope:

  * Findings that require administrative or root privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. [https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria](https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria)
  * Bypassing Tamper Protection as an administrator: Tamper Protection is a defense-in-depth feature and not intended as a security boundary against an administrator.
  * Physical access vulnerabilities: Findings that require physical access to the device as users are free to alter the OS via recovery modes or booting from a separate OS.
  * Crashing Defend: Elastic considers crashes to be bugs, but not security bugs. Defend will automatically restart if it crashes. We are interested in hearing about these issues, and may pay a bounty (case-by-case basis).
  * Bypassing a Defend protection (e.g. malware scanning, memory scan, rule): Because no protection is perfect, Elastic Defend employs multiple layers of protection to provide a comprehensive system protection. Behavior rule protection bypasses are subject to the [Elastic Bounty Program for Behavior Rule Protections](https://www.elastic.co/security-labs/behavior-rule-bug-bounty).

  DOWNLOADABLE_EXECUTABLES

  critical
• cloud.elastic.co

  ---

  **How to test**

  1. Go to https://cloud.elastic.co/
  1. Click “Sign Up”
  1. Enter your @wearehackerone email and click “Start Free Trial” (you can create multiple trials if necessary)
  1. Find your verification email and click “Verify and Accept”
  1. Set your password
  1. Click “Start Free Trial”

  You should now be able to create an Elasticsearch deployment in any hosted infrastructure you choose. Once you create a deployment, try to find bugs!

  Only the latest supported versions of the Elastic Stack will be eligible for a bounty.

  Bugs describing missing rate limiting on cloud.elastic.co/api/v1/users/_login are out of scope. The API is rate limited but doesn't return a 429.

  URL

  critical
• Logstash

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/logstash
  - Docker container: https://www.docker.elastic.co/r/logstash
  - Source code: https://github.com/elastic/logstash

  DOWNLOADABLE_EXECUTABLES

  critical
• discuss.elastic.co

  URL

  none
• Elastic Package Registry

  ---

  - https://github.com/elastic/package-registry
  - https://epr.elastic.co/search?all

  Elastic's package registry is used to pull elastic packages. Being able to modify our package registry is of particular interest to us.

  OTHER

  critical
• elastic.co credentials

  OTHER

  low
• All Elastic Products

  ---

  Any Elastic Products (elasticsearch, kibana, endpoint, machine learning, enterprise search, etc)

  OTHER

  critical
• http://*.elastic.co

  ---

  All subdomains are in scope UNLESS OTHERWISE LISTED IN OUT-OF-SCOPE. Local, or on-premise Elastic stack is also IN-scope.

  WILDCARD

  critical
• http://*.found.io

  ---

  Exfiltration of data or attacks against any customer clusters will not be eligible for rewards. Local, or on-premise Elastic stack is also in-scope. Only the latest supported versions of the Elastic Stack will be eligible for a bounty.

  WILDCARD

  critical
• http://*.swiftype.com

  WILDCARD

  critical
• http://*.elstc.co

  WILDCARD

  critical
• http://*.elasticnet.co

  WILDCARD

  critical
• http://*.eops.nl

  WILDCARD

  critical
• http://*.elastic-cloud.com

  WILDCARD

  critical
• wiki.elastic.co

  URL

  none
• go.es.co

  URL

  none
• Other

  ---

  If you found something that we own that is not explicitly listed as in-scope, please file it under this asset for us to investigate. We don't want our scope section to stop you from finding us vulnerabilities!

  OTHER

  critical
• Kibana

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/kibana

  - Docker container: https://www.docker.elastic.co/r/kibana

  - Source code: https://github.com/elastic/kibana

  - Cloud: https://cloud.elastic.co

  DOWNLOADABLE_EXECUTABLES

  critical
• Elastic Behavior Detections

  ---

  Elastic invites security researchers to test our detection (SIEM) and endpoint (EDR) rulesets for potential bypasses, vulnerabilities, and areas for improvement. For this period (Jan 28, 2025 - May 1, 2025), the focus for this bounty period is on Windows behavior detections, particularly on bypassing detection capabilities tied to specific MITRE ATT&CK techniques such as Process Injection, Lateral Movement, Phishing: Spearphishing Attachments, and Impair Defenses.
  We are looking for submissions that demonstrate realistic, high-impact techniques that evade detection, focusing on novel approaches and measurable risks.
  Submissions will be evaluated based on their impact and complexity. The reward tiers are structured as follows:
  - Low: Alerts generated are only low severity
  - Medium: No alerts generated (SIEM or Endpoint)

  For complete details on target rulesets, MITRE techniques, and submission guidelines, view the full scope [here](https://www.elastic.co/security-labs/behavior-rule-bug-bounty?utm_source=publisher-direct&utm_medium=other-hackerone&utm_campaign=bb-gc).

  SOURCE_CODE

  medium
• https://github.com/swiftype/*/wiki

  ---

  Our wikis are meant to be public

  WILDCARD

  none
• community.elastic.co

  URL

  none
• https://github.com/elastic/*/wiki

  ---

  Our wikis are public on purpose

  WILDCARD

  none
• learn.elastic.co

  URL

  none
• elasticon.elastic.co

  URL

  none
• training.elastic.co

  URL

  none
• link.email.elastic.co

  URL

  none
• track.email.elastic.co

  URL

  none
• sendgrid.elastic.co

  URL

  none
• *.elasticnet.co

  WILDCARD

  critical
• *.eops.nl

  WILDCARD

  critical
• Beats - Filebeat

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/beats/filebeat
  - Docker container: https://www.docker.elastic.co/r/beats/filebeat
  - Source code: https://github.com/elastic/beats/tree/main/filebeat
  

  DOWNLOADABLE_EXECUTABLES

  critical
• Beats - Heartbeat

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/beats/heartbeat
  - Docker container: https://www.docker.elastic.co/r/beats/heartbeat
  - Source code: https://github.com/elastic/beats/tree/main/heartbeat
  

  DOWNLOADABLE_EXECUTABLES

  critical
• Beats - Packetbeat

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/beats/packetbeat
  - Docker container: https://www.docker.elastic.co/r/beats/packetbeat
  - Source code: https://github.com/elastic/beats/tree/main/packetbeat

  DOWNLOADABLE_EXECUTABLES

  critical
• Beats - Winlogbeat

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - Download: https://www.elastic.co/downloads/beats/winlogbeat
  - Source code: https://github.com/elastic/beats/tree/main/winlogbeat

  DOWNLOADABLE_EXECUTABLES

  critical
• Elastic Cloud Enterprise (ECE)

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - Download: https://www.elastic.co/downloads/enterprise

  DOWNLOADABLE_EXECUTABLES

  critical
• Elastic Cloud on Kubernetes (ECK)

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - Download: https://www.elastic.co/downloads/elastic-cloud-kubernetes

  DOWNLOADABLE_EXECUTABLES

  critical
• Observability - APM Server

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/apm
  - Docker: https://www.docker.elastic.co/r/apm/apm-server
  - Source code: https://github.com/elastic/apm-server

  DOWNLOADABLE_EXECUTABLES

  critical
• Elastic Enterprise Search

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/enterprise-search
  - Docker: https://www.docker.elastic.co/r/enterprise-search
  - Cloud: https://cloud.elastic.co

  DOWNLOADABLE_EXECUTABLES

  critical
• *.found.io

  ---

  Exfiltration of data or attacks against any customer clusters will not be eligible for rewards. Local, or on-premise Elastic stack is also in-scope. Only the latest supported versions of the Elastic Stack will be eligible for a bounty.

  WILDCARD

  critical
• Elastic Agent

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/elastic-agent
  - With Fleet: https://www.elastic.co/guide/en/fleet/current/fleet-elastic-agent-quick-start.html
  - Source code: https://github.com/elastic/elastic-agent

  DOWNLOADABLE_EXECUTABLES

  critical
• Beats

  ---

  Issue that span across multiple Beats

  Source: https://github.com/elastic/beats
  Download: https://www.elastic.co/downloads/beats/

  Including
  - Auditbeat
  - Filebeat
  - Heartbeat
  - Metricbeat
  - Packetbeat
  - Heartbeat
  - Winlogbeat
  - Elastic Agent

  DOWNLOADABLE_EXECUTABLES

  critical
• www.elastic.co

  ---

  The main page for Elastic

  URL

  critical
• Elasticsearch

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/elasticsearch
  - Docker container: https://www.docker.elastic.co/r/elasticsearch
  - Source code: https://github.com/elastic/elasticsearch
  - Instance on Cloud: https://cloud.elastic.co

  DOWNLOADABLE_EXECUTABLES

  critical
• *.elastic.co

  ---

  All subdomains are in scope UNLESS OTHERWISE LISTED IN OUT-OF-SCOPE. Local, or on-premise Elastic stack is also IN-scope.

  WILDCARD

  critical
• Beats - Metricbeat

  ---

  Must be a supported version: https://www.elastic.co/support/eol

  Includes
  - All platforms: https://www.elastic.co/downloads/beats/metricbeat
  - Docker container: https://www.docker.elastic.co/r/beats/metricbeat
  - Source code: https://github.com/elastic/beats/tree/main/metricbeat

  DOWNLOADABLE_EXECUTABLES

  critical
• *.swiftype.com

  WILDCARD

  critical
• *.elstc.co

  WILDCARD

  critical

Target Scope Domains

• cloud.elastic.co
• elastic-cloud.com
• elastic.co
• elasticnet.co
• elasticsearch-ci.elastic.co
• elstc.co
• eops.nl
• found.io
• swiftype.com
• www.elastic.co

• 6009 Subdomains
• 33845 Endpoints
• Download wordlist

Last Finished Scan: