Instruction: Domain used for development. Should not have any production services. Any rewards will be based on actual risk to Teleport and its customers.
Integrity requirements: low
Max severity: medium
Asset identifier: *.gravitational.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Our former primary domain. Most stuff should redirect to goteleport.com, but there are still a few production services under this domain.
Integrity requirements:
Max severity: critical
Asset identifier: *.gravitational.io
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Domain used for development. Should not have any production services. Any rewards will be based on actual risk to Teleport and its customers.
Instruction: Domain used for internal Teleport production infrastructure.
Integrity requirements:
Max severity: critical
Asset identifier: cloud.gravitational.io
Asset type: URL
Availability requirement: low
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: Our staging environment for Teleport Cloud.
Integrity requirements: low
Max severity: high
Asset identifier: get.gravitational.io
Asset type: URL
Availability requirement: low
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: Our distribution portal for enterprise Gravity (https://github.com/gravitational/gravity)
We're not concerned about unauthenticated downloads as this project is entirely open source, but if you're able to access the backend or (theoretically) change the data our Gravity customers download, that would be of great interest.
Integrity requirements: high
Max severity: critical
Asset identifier: h1-your-domain.teleport.sh
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Accounts that you sign up for in Teleport Cloud.
Please do not test against any account (subdomain of teleport.sh) that you do not own.
Instruction: Kubernetes application deployments for restricted, regulated or remote environments.
The Gravity project is no longer under active development. The project's development has been limited to maintenance and support for our commercial customers until maintenance agreements expire. However, security vulnerability submissions are still welcome.
Please see our blog post for more information: https://goteleport.com/blog/gravitational-is-teleport/
Instruction: A set of plugins for Teleport's for Access Workflows and example applications for Teleport Application Access.
See README for details on each plugin.
Instruction: This mono-repository contains the source code for the web UI of Teleport.
The code is organized in terms of independent yarn packages which reside in the `packages` directory.
Integrity requirements:
Max severity: critical
Asset identifier: platform.teleport.sh
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: A Teleport Cloud account we use for internal Teleport employees and access controls.
Unlike other customer Teleport Cloud account, this account is fair game because we own it.
Integrity requirements: high
Max severity: critical
Asset identifier: teleport.sh
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Domain used for production Teleport Cloud signups and logins. Each customer has a unique subdomain per deployment.
Please do not test against any customer subdomains that are not explicitly called out as an asset in our scope. Doing so may generate distracting noise in the audit logs.
