How to get your testing environment

To get your testing environment, follow these steps:

1. Visit this link: https://www.dynatrace.com/signup/hackerone/
2. Use your @wearehackerone.com email address for registration.
3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum.
4. Each testing account you set up will be active for three months.
5. If you have any questions, feel free to contact us at [email protected]. Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.

Program Rules

• If you have any questions, please reach out to [email protected]
• Only use the account you have requested via our HackerOne signup.
• Don't cause any privacy violations, destruction of data (excluding test data), degradation or disruption of Dynatrace services.
• Don't cause any adverse impact to Dynatrace customers or suppliers.
• Don’t bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.
• Create a report on HackerOne for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together.
• Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.
• Current and former employees of Dynatrace are not eligible to participate in the program.
• Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. Dynatrace will do its best to explain in each case why the report is not eligible for a reward.

Eligibility and Responsible Disclosure

In connection with your participation in this program, you agree to comply with all applicable laws and regulations.

You may not participate in this program if you are subject to sanctions by the United States, European Union, or United Kingdom. You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).

We will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.

Please make sure to have read HackerOne’s vulnerability disclosure guidelines before you start participating in the Dynatrace bug bounty program.

Exclusions

Do not engage in the following:

• Denial of Service attacks
• Unauthorized account access (including through credentials that have been published on the internet, such as on the Darknet or Telegram).
• The use of automated tools to generate significant traffic (apart from easyTravel & easyTrade, which are mentioned under Setup), which may affect the availability of our platform.
• Spamming
• Social engineering (including phishing) against Dynatrace, its customers, or suppliers.
• Any physical action against property or data centers used by Dynatrace, its customers, or suppliers
• Subdomain Takeovers

Reports that solely indicate a lack of possible security defenses are excluded from this program. This includes:

• Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).
• CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.
• Login and logout CSRF.
• Missing HTTP security headers that don’t directly contribute to a vulnerability.
• Host header injections (we require evidence showing how these can lead to the theft of user data).
• Absence of best practices (unless evidence of a security vulnerability is demonstrated).
• Self-XSS (we require evidence showing how XSS can be used to attack another user).
• Missing flags on non-sensitive cookies.
• Reports from automated tools or vulnerability scanners.
• Reports of insecure SSL/TLS ciphers or outdated certificates.
• Reports of insecure DNS and server configurations (e.g. open ports).
• Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)
• Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.
• Password, email and account policies.
• Presence/absence of DKIM/SPF/DMARC records.
• CSP (Content-Security-Policy) issues.
• Issues related to software or protocols not under Dynatrace’s control.

Legal

In connection with your participation in this program, you agree to comply with all applicable laws and regulations.

You may not participate in this program if you are subject to sanctions by the United States, the United Kingdom, or the European Union. You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).

You may not adversely impact confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, or suppliers. This includes: (i) disrupting or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; and (iii) extracting or publishing data belonging to Dynatrace customers.

Vulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating these guidelines, are not eligible for a bounty and will result in immediate disqualification from the program.

Dynatrace reserves the right to discontinue this reward program and to change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.

Dynatrace’s collection, processing, and use of your information is described in Dynatrace Privacy Notice.

Thank you for helping keep Dynatrace and our customers safe!

Useful tips for the setup

Getting Started

Here is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.

• {F4458020}
• {F4458021}

OneAgent

To test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment.

You can find further installation instructions on our support page.

EasyTravel & EasyTrade

EasyTravel & EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.

Here are some links that contain more detailed instructions & download links:

• EasyTravel installation, download & integration: https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271
• EasyTravel docker installation: https://github.com/Dynatrace/easyTravel-Docker
• EasyTrade installation & download: https://github.com/Dynatrace/easytrade
• How to integrate EasyTrade into your testing environment: https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case

Please keep in mind that EasyTravel & EasyTrade are out of scope of this program!

ActiveGate

ActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.

In case you want to read more about our ActiveGates you can have a look at our support page. Detailed instructions on how to install and use an AG you can find here.

How to access your 2nd gen environment

If you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. Once you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.

If the following steps are not done, you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled:

1. Access your Dynatrace Platform environment: *.sprint.apps.dynatracelabs.com
2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.
3. Switch off the "latest Dynatrace" flag.
4. You'll be redirected to your 2nd gen environment.
5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.

{F2960757}

If you have any questions or this doesn't work for you, please reach out to [email protected]

Mobile Agent

With Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.

You can find information on how to do this on our support page:

• Android
• iOS