Instruction: This domain hosts our public API. It's used by the Doppler CLI as well as by customers directly. All APIs and supported auth schemes are [documented](https://docs.doppler.com/reference) in our Docs hub.
Integrity requirements: high
Max severity: critical
Asset identifier: dashboard.doppler.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This web app provides the ability to view and manage your secrets, team members, and account. You can read about additional functionality in our [docs](https://docs.doppler.com/).
Supported auth methods:
- Email/password. Optional: Authy/OTP MFA and/or WebAuthn
- Google Auth
- SAML SSO
Integrity requirements: high
Max severity: critical
Asset identifier: doppler
Asset type: DOWNLOADABLE_EXECUTABLES
Availability requirement: low
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is the pre-built binary based on the Doppler CLI [source code](https://github.com/DopplerHQ/cli) (also in scope). You can find all builds on [cli.doppler.com](https://cli.doppler.com/download) or on [GitHub](https://github.com/DopplerHQ/cli/releases).
The CLI can be installed via brew, scoop, apt, yum, sh + curl/wget, and [more](https://github.com/DopplerHQ/cli/blob/master/INSTALL.md).
Integrity requirements: medium
Max severity: critical
Asset identifier: doppler.team
Asset type: URL
Availability requirement: none
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This domain hosts our internal tools for managing Workplace plans and features. It does not provide access to user secrets.
Access is protected via Cloudflare Access. Users must authenticate with a valid GSuite account, and must additionally be on the Admin allowlist. For this asset, we're especially interested in any bypass of our access controls.
Instruction: The Doppler CLI is the primary agent for retrieving secrets and executing your applications. It communicates with the Doppler API, which is also in scope. You can read more about the CLI on our [Docs hub](https://docs.doppler.com/docs/cli), or [Install](https://cli.doppler.com/download) it and give it a spin.
Notable commands we're especially interested in:
- `doppler login`: orchestrates the auth flow
- `doppler run`: executes the specified process with secrets injected as environment variables
- `doppler update`: installs the latest CLI
Build instructions can be found on [GitHub](https://github.com/DopplerHQ/cli/blob/master/BUILD.md) and only require installing `go`.
Integrity requirements: medium
Max severity: critical
Asset identifier: share.doppler.com
Asset type: URL
Availability requirement: none
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Only submissions for vulnerabilities that permit access to shared secrets or otherwise bypass secret access controls are eligible for bounty on share.doppler.com.
Please do not send submissions such as lack of CAPTCHA or rate limiting.
