Instruction: This is the staging environment for accounts.evernote.com; vulnerabilities found here will not be eligible for bounty unless the vulnerability is also present in production.
Integrity requirements:
Max severity: critical
Asset identifier: api.evernote.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: api.evernote.com is the API gateway into Evernote's microservice infrastructure. The microservice infrastructure is managed by Istio and is provisioned by Google Kubernetes Engine (GKE). Traffic is HTTP or gRPC, depending on the service being interacted with.
Integrity requirements:
Max severity: critical
Asset identifier: api.stage.evernote.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty:
Eligible for submissions: true
Instruction: This is the staging environment for api.evernote.com; vulnerabilities found in this staging environment are not eligible for bounty *unless the vulnerability is verified in the corresponding production environments*.
Integrity requirements:
Max severity: critical
Asset identifier: com.evernote.android
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: https://www.evernote.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: www.evernote.com serves the main Evernote web app. It also exposes several HTTP and Thrift endpoints that the Evernote mobile/desktop apps use to communicate with the service. Almost all endpoints on the www. domain are routed by HAProxy to an array of Java based Tomcat/Struts shards.
