[{"id":3773821,"new_policy":"# Dynatrace's Bug Bounty Program\n\nWe reward security researchers who help keep our platform secure by discovering and responsibly disclosing vulnerabilities. Our bug bounty program offers rewards up to $10,000. High quality reports generally qualify for a **$50 bonus**, awarded at the discretion of the handling team member. *For more information see **Program Rewards**.*\n\nYour participation in our vulnerability disclosure program is voluntary and subject to the terms and conditions set forth in this Policy and the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder-2023), including the [HackerOne Disclosure Guidelines](https://www.hackerone.com/terms/disclosure-guidelines). Any violation of this Policy may result in ineligibility for a reward and/or removal from the Program.\n\n​\n\n# How to get your testing environment\nTo get your testing environment, follow these steps:\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your `@wearehackerone.com` email address for signup.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n6. *For setup tips and useful resources, check out the **Useful tips for the setup** section at the bottom of this page.*\n\n​\n\n# Program Rewards\nBy participating in the Program, you may be eligible to receive a monetary reward for qualifying vulnerabilities reported in accordance with this Policy. To be eligible for a reward:\n- You must report a qualifying vulnerability through HackerOne\n- You must be the first person to report the vulnerability\n- We must determine that the vulnerability is valid and not previously known by us\n- You must comply with this Policy\n\nRewards will be determined by Dynatrace in its sole discretion. If we decide to provide a reward, we will determine the payment amount based on our assessment of the risk and severity of the vulnerability and other factors, such as its uniqueness. You are responsible for the payment of all applicable taxes related to the rewards you receive in connection with the Program.\n\nWe will only reward the first person to responsibly report a vulnerability to us. When duplicates occur, we triage the first report that was received (provided that it can be fully reproduced). Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. When appropriate, Dynatrace will try to explain why the report is not eligible for a reward.\n\nHigh quality reports generally qualify for a **$50 bonus**, awarded at the discretion of the handling team member. A high quality report is concise, contains all necessary information, includes an accurate severity rating, and provides a clear and actionable proof-of-concept. Reports that are bloated with irrelevant information, exaggerate or twist findings to appear more severe, or rely heavily on AI-generated content with little researcher input will likely not qualify for the bonus.\n\n​\n\n# Exclusions and Out-of-Scope Vulnerabilities\n\nWhen reporting vulnerabilities, please consider the (1) attack scenario/exploitability, and (2) security impact of the issue. Reports that solely indicate a lack of possible security defenses are excluded from this Program. The following issues are considered out of scope: \n\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n- CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n**GitHub repositories.** Only reporters with at least **150 reputation** are eligible to submit reports for assets in this scope. This requirement is in place due to a recent increase in low-effort, AI-generated reports that do not meet our quality standards. Reports submitted below this threshold will be automatically closed as Informative without review.\n\nYou must abide by this scope. We do not offer rewards for out-of-scope vulnerabilities or excluded submission types.\n\n​\n\n# Program Rules and Conditions\nAs with most vulnerability disclosure programs, there are some requirements and restrictions that apply to our Program. If you have any questions, please reach out to [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n- Only use the account you have requested via our HackerOne signup for testing purposes. Do not attempt to compromise or otherwise gain access to an account you do not own.\n- Do not bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Submit a report for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Explain your finding as detailed as possible. Provide reproducible steps and use screenshots or a screen recording to demonstrate your proof-of-concept.\n- We're fine with AI tools being part of your workflow, and so is HackerOne's [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct). But if it's clear that little to no effort went into a submission, don't expect much effort in return. Low-effort, AI-generated submissions without a meaningful, product-relevant proof-of-concept, or unverified claims will be closed without detailed feedback.\n- Follow HackerOne’s vulnerability disclosure guidelines. Please note that this Policy supersedes those guidelines in the event of a conflict.\n- Comply with applicable federal, state, local, and international laws in connection with your participation in this Program. Do not engage in any activity that constitutes a criminal offense, infringes intellectual property rights, or violates any law or contract, including our [Terms of Use](https://www.dynatrace.com/company/trust-center/terms-of-use/).\n- Use a proof of concept only to demonstrate an issue. Do not exploit a vulnerability you discovered for any reason, including accessing, modifying, deleting, copying, downloading, acquiring, or otherwise processing any confidential, propriety, or personal information accessible as a result of a vulnerability. If you inadvertently engage in any such activity, please stop testing and contact us immediately. If you obtain a copy of any Dynatrace data inadvertently or in violation of this Policy, you agree to return all such copies to us and not retain any copy thereof.\n- You may not adversely impact the confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, suppliers, or other third parties. This includes: (i) damaging, disrupting, or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; or (iii) extracting or publishing data belonging to Dynatrace customers.\n\n- In connection with your participation in the Program, you may not do any of the following:\n  - Engage in any activity that results in unauthorized access to or destruction of systems or data (excluding test data) or interrupts or degrades services (such as denial of service attacks).\n  - Access another user’s account or device without authorization (such as through credentials that have been published online), trade stolen user credentials, intercept or eavesdrop on communications, or engage in any form of other privacy violations.\n  - Use automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform.\n  - Send unsolicited or unauthorized junk mail or spam.\n  - Impersonate or misrepresent your affiliation with another person or entity.\n  - Engage in social engineering (including phishing, vishing, and smishing).\n  - Send or spread any malicious software or other materials that could cause harm, disruption, or compromise.\n  - Attempt to gain physical access to any of our offices or facilities or take any physical action against property or data centers used by Dynatrace, its customers, or suppliers.\n  - Engage in subdomain takeovers.\n- Do not use illegal software. Participants are solely responsible for the tools they use.\n\n​\n\n# Program Eligibility\nTo participate in our Program, you must be a security researcher who is at least eighteen (18) years of age. In connection with your participation in the Program, you agree to comply with all applicable laws and regulations.\n\nYou are not eligible to participate in our Program if:\n- You are a current or former Dynatrace employee or service provider or are an immediate \nfamily member of one of our employees or service providers.\n- You or someone you work for is a person or entity who appears on any sanctions list maintained by the United States, European Union, United Kingdom, or United Nations.\n- You reside or otherwise are located in a country on those sanctions lists (such as Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).\n\n​\n\n# Vulnerability Disclosures\n- All information disclosed to us about vulnerabilities (including resolved ones) is intended to be provided privately to Dynatrace.\n- You agree to treat all information about vulnerabilities disclosed to us through the  program as confidential and not share the information with others, unless we have  provided our prior written consent to allow you to disclose the information to a third  party or the public.\n- Dynatrace will determine, in its sole discretion, whether public recognition for resolved vulnerabilities will be provided. In doing so, we will take into consideration, among other factors, whether you complied with this Policy and the contribution to the security community.\n- Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded.\n\n​\n\n# Ownership\nAs described in the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder-2023), you grant us a perpetual, irrevocable, non-exclusive, transferable, sublicensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of any information made available to us in connection with our Program for any purpose.\n\nThis Program is not an offer of employment. Nothing in this Policy is intended to render Dynatrace and you as joint venturers, partners, or employer and employee.\n\n​\n\n# Rewards, Modification and Termination\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating this Policy, are not eligible for a bounty and will result in immediate disqualification from the Program. Dynatrace may, in our sole discretion, terminate or suspend your participation in the Program for any reason and without prior notice to you.\n\nDynatrace reserves the right to discontinue this Program and to change any aspect of the Program or its terms at any time without prior notification. Once the updated Policy has been posted, your continued participation in our Program will constitute your acceptance of any modification or update made by us. All decisions regarding reward payments are final. The rules of this Program or any communication related thereto do not provide or imply any obligations to Dynatrace of any kind.\n\n​\n\n# Safe Harbor\nThe intent of this Program is to encourage coordinated and responsible disclosure. Unless required by law or law enforcement authorities, we do not intend to initiate any legal action against you if you comply with this Policy. Dynatrace reserves all legal rights in the event of any noncompliance.\n\nIf your security research involves the networks, systems, data, products, or services of another party, that third party may determine whether to pursue legal action. We cannot and do not authorize security research involving other entities.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n​\n\n# Limitation of Liability\nIN NO EVENT WILL WE BE LIABLE TO YOU FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, OR LOST REVENUES OR PROFITS, ARISING OUT OF OR RELATED TO YOUR PARTICIPATION IN THE PROGRAM, WHETHER BASED ON WARRANTY, CONTRACT, OR ANY OTHER LEGAL THEORY AND WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS DO NOT ALLOW FOR THE EXCLUSION OF DAMAGES, OUR LIABILITY IN SUCH JURISDICTIONS WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY THE LAWS OF SUCH JURISDICTION.\n\n​\n​\n\n# Useful tips for the setup\n\n---\n\n​\n\n## Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and to help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n​\n\n## OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way, you can see some data in your environment.\n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n​\n\n## EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions and download links: \n- [EasyTravel installation, download and integration](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n- [EasyTravel docker installation](https://github.com/Dynatrace/easyTravel-Docker)\n- [EasyTrade installation and download](https://github.com/Dynatrace/easytrade)\n- [How to integrate EasyTrade into your testing environment](https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case)\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this Program!*\n\n​\n\n## ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nFor more information, visit the [ActiveGate documentation](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate), or refer to the [installation guide](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation).\n\n​\n\n## How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. Once you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nBy default, you will be automatically redirected from your 2nd to your 3rd gen environment. You can disable this redirection by following these steps: \n1. Access your Dynatrace Platform environment: `*.sprint.apps.dynatracelabs.com`\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"Latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n​\n\n## Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-07T14:50:47.232Z"},{"id":3773820,"new_policy":"# Dynatrace's Bug Bounty Program\n\nWe reward security researchers who help keep our platform secure by discovering and responsibly disclosing vulnerabilities. Our bug bounty program offers rewards up to $10,000. High quality reports generally qualify for a **$50 bonus**, awarded at the discretion of the handling team member. *For more information see **Program Rewards**.*\n\nYour participation in our vulnerability disclosure program is voluntary and subject to the terms and conditions set forth in this Policy and the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder-2023), including the [HackerOne Disclosure Guidelines](https://www.hackerone.com/terms/disclosure-guidelines). Any violation of this Policy may result in ineligibility for a reward and/or removal from the Program.\n\n​\n\n# How to get your testing environment\nTo get your testing environment, follow these steps:\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your `@wearehackerone.com` email address for signup.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n6. *For setup tips and useful resources, check out the **Useful tips for the setup** section at the bottom of this page.*\n\n​\n\n# Program Rewards\nBy participating in the Program, you may be eligible to receive a monetary reward for qualifying vulnerabilities reported in accordance with this Policy. To be eligible for a reward:\n- You must report a qualifying vulnerability through HackerOne\n- You must be the first person to report the vulnerability\n- We must determine that the vulnerability is valid and not previously known by us\n- You must comply with this Policy\n\nRewards will be determined by Dynatrace in its sole discretion. If we decide to provide a reward, we will determine the payment amount based on our assessment of the risk and severity of the vulnerability and other factors, such as its uniqueness. You are responsible for the payment of all applicable taxes related to the rewards you receive in connection with the Program.\n\nWe will only reward the first person to responsibly report a vulnerability to us. When duplicates occur, we triage the first report that was received (provided that it can be fully reproduced). Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. When appropriate, Dynatrace will try to explain why the report is not eligible for a reward.\n\nHigh quality reports generally qualify for a **$50 bonus**, awarded at the discretion of the handling team member. A high quality report is concise, contains all necessary information, includes an accurate severity rating, and provides a clear and actionable proof-of-concept. Reports that are bloated with irrelevant information, exaggerate or twist findings to appear more severe, or rely heavily on AI-generated content with little researcher input will likely not qualify for the bonus.\n\n​\n\n# Exclusions and Out-of-Scope Vulnerabilities\n\nWhen reporting vulnerabilities, please consider the (1) attack scenario/exploitability, and (2) security impact of the issue. Reports that solely indicate a lack of possible security defenses are excluded from this Program. The following issues are considered out of scope: \n\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n- CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n**GitHub repositories.** Only reporters with at least **150 reputation** are eligible to submit reports for assets in this scope. This requirement is in place due to a recent increase in low-effort, AI-generated reports that do not meet our quality standards. Reports submitted below this threshold will be automatically closed as Informative without review.\n\nYou must abide by this scope. We do not offer rewards for out-of-scope vulnerabilities or excluded submission types.\n\n​\n\n# Program Rules and Conditions\nAs with most vulnerability disclosure programs, there are some requirements and restrictions that apply to our Program. If you have any questions, please reach out to [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n- Only use the account you have requested via our HackerOne signup for testing purposes. Do not attempt to compromise or otherwise gain access to an account you do not own.\n- Do not bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Submit a report for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Explain your finding as detailed as possible. Provide reproducible steps and use screenshots or a screen recording to demonstrate your proof-of-concept.\n- We're fine with AI tools being part of your workflow, and so is HackerOne's [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct). But if it's clear that little to no effort went into a submission, don't expect much effort in return. Low-effort, AI-generated submissions without a meaningful, product-relevant proof-of-concept, or unverified claims will be closed without detailed feedback.\n- Follow HackerOne’s vulnerability disclosure guidelines. Please note that this Policy supersedes those guidelines in the event of a conflict.\n- Comply with applicable federal, state, local, and international laws in connection with your participation in this Program. Do not engage in any activity that constitutes a criminal offense, infringes intellectual property rights, or violates any law or contract, including our [Terms of Use](https://www.dynatrace.com/company/trust-center/terms-of-use/).\n- Use a proof of concept only to demonstrate an issue. Do not exploit a vulnerability you discovered for any reason, including accessing, modifying, deleting, copying, downloading, acquiring, or otherwise processing any confidential, propriety, or personal information accessible as a result of a vulnerability. If you inadvertently engage in any such activity, please stop testing and contact us immediately. If you obtain a copy of any Dynatrace data inadvertently or in violation of this Policy, you agree to return all such copies to us and not retain any copy thereof.\n- You may not adversely impact the confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, suppliers, or other third parties. This includes: (i) damaging, disrupting, or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; or (iii) extracting or publishing data belonging to Dynatrace customers.\n\n- In connection with your participation in the Program, you may not do any of the following:\n  - Engage in any activity that results in unauthorized access to or destruction of systems or data (excluding test data) or interrupts or degrades services (such as denial of service attacks).\n  - Access another user’s account or device without authorization (such as through credentials that have been published online), trade stolen user credentials, intercept or eavesdrop on communications, or engage in any form of other privacy violations.\n  - Use automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform.\n  - Send unsolicited or unauthorized junk mail or spam.\n  - Impersonate or misrepresent your affiliation with another person or entity.\n  - Engage in social engineering (including phishing, vishing, and smishing).\n  - Send or spread any malicious software or other materials that could cause harm, disruption, or compromise.\n  - Attempt to gain physical access to any of our offices or facilities or take any physical action against property or data centers used by Dynatrace, its customers, or suppliers.\n  - Engage in subdomain takeovers.\n- Do not use illegal software. Participants are solely responsible for the tools they use.\n\n​\n\n# Program Eligibility\nTo participate in our Program, you must be a security researcher who is at least eighteen (18) years of age. In connection with your participation in the Program, you agree to comply with all applicable laws and regulations.\n\nYou are not eligible to participate in our Program if:\n- You are a current or former Dynatrace employee or service provider or are an immediate \nfamily member of one of our employees or service providers.\n- You or someone you work for is a person or entity who appears on any sanctions list maintained by the United States, European Union, United Kingdom, or United Nations.\n- You reside or otherwise are located in a country on those sanctions lists (such as Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).\n​\n​\n\n# Vulnerability Disclosures\n- All information disclosed to us about vulnerabilities (including resolved ones) is intended to be provided privately to Dynatrace.\n- You agree to treat all information about vulnerabilities disclosed to us through the  program as confidential and not share the information with others, unless we have  provided our prior written consent to allow you to disclose the information to a third  party or the public.\n- Dynatrace will determine, in its sole discretion, whether public recognition for resolved vulnerabilities will be provided. In doing so, we will take into consideration, among other factors, whether you complied with this Policy and the contribution to the security community.\n- Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded.\n\n​\n\n# Ownership\nAs described in the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder-2023), you grant us a perpetual, irrevocable, non-exclusive, transferable, sublicensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of any information made available to us in connection with our Program for any purpose.\n\nThis Program is not an offer of employment. Nothing in this Policy is intended to render Dynatrace and you as joint venturers, partners, or employer and employee.\n\n​\n\n# Rewards, Modification and Termination\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating this Policy, are not eligible for a bounty and will result in immediate disqualification from the Program. Dynatrace may, in our sole discretion, terminate or suspend your participation in the Program for any reason and without prior notice to you.\n\nDynatrace reserves the right to discontinue this Program and to change any aspect of the Program or its terms at any time without prior notification. Once the updated Policy has been posted, your continued participation in our Program will constitute your acceptance of any modification or update made by us. All decisions regarding reward payments are final. The rules of this Program or any communication related thereto do not provide or imply any obligations to Dynatrace of any kind.\n\n​\n\n# Safe Harbor\nThe intent of this Program is to encourage coordinated and responsible disclosure. Unless required by law or law enforcement authorities, we do not intend to initiate any legal action against you if you comply with this Policy. Dynatrace reserves all legal rights in the event of any noncompliance.\n\nIf your security research involves the networks, systems, data, products, or services of another party, that third party may determine whether to pursue legal action. We cannot and do not authorize security research involving other entities.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n​\n\n# Limitation of Liability\nIN NO EVENT WILL WE BE LIABLE TO YOU FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, OR LOST REVENUES OR PROFITS, ARISING OUT OF OR RELATED TO YOUR PARTICIPATION IN THE PROGRAM, WHETHER BASED ON WARRANTY, CONTRACT, OR ANY OTHER LEGAL THEORY AND WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS DO NOT ALLOW FOR THE EXCLUSION OF DAMAGES, OUR LIABILITY IN SUCH JURISDICTIONS WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY THE LAWS OF SUCH JURISDICTION.\n\n​\n​\n\n# Useful tips for the setup\n\n---\n\n​\n\n## Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and to help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n​\n\n## OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way, you can see some data in your environment.\n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n​\n\n## EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions and download links: \n- [EasyTravel installation, download and integration](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n- [EasyTravel docker installation](https://github.com/Dynatrace/easyTravel-Docker)\n- [EasyTrade installation and download](https://github.com/Dynatrace/easytrade)\n- [How to integrate EasyTrade into your testing environment](https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case)\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this Program!*\n\n​\n\n## ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nFor more information, visit the [ActiveGate documentation](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate), or refer to the [installation guide](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation).\n\n​\n\n## How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. Once you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nBy default, you will be automatically redirected from your 2nd to your 3rd gen environment. You can disable this redirection by following these steps: \n1. Access your Dynatrace Platform environment: `*.sprint.apps.dynatracelabs.com`\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"Latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n​\n\n## Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-07T14:49:14.344Z"},{"id":3773157,"new_policy":"# Dynatrace's Bug Bounty Program\n\nWe reward security researchers who help keep our platform secure by discovering and responsibly disclosing vulnerabilities. Our bug bounty program offers rewards up to $10,000. High quality reports generally qualify for a **$50 bonus**, awarded at the discretion of the handling team member. *For more information see **Program Rewards**.*\n\nYour participation in our vulnerability disclosure program is voluntary and subject to the terms and conditions set forth in this Policy and the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder-2023), including the [HackerOne Disclosure Guidelines](https://www.hackerone.com/terms/disclosure-guidelines). Any violation of this Policy may result in ineligibility for a reward and/or removal from the Program.\n\n​\n\n# How to get your testing environment\nTo get your testing environment, follow these steps:\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your `@wearehackerone.com` email address for signup.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n6. *For setup tips and useful resources, check out the **Useful tips for the setup** section at the bottom of this page.*\n\n​\n\n# Program Rewards\nBy participating in the Program, you may be eligible to receive a monetary reward for qualifying vulnerabilities reported in accordance with this Policy. To be eligible for a reward:\n- You must report a qualifying vulnerability through HackerOne\n- You must be the first person to report the vulnerability\n- We must determine that the vulnerability is valid and not previously known by us\n- You must comply with this Policy\n\nRewards will be determined by Dynatrace in its sole discretion. If we decide to provide a reward, we will determine the payment amount based on our assessment of the risk and severity of the vulnerability and other factors, such as its uniqueness. You are responsible for the payment of all applicable taxes related to the rewards you receive in connection with the Program.\n\nWe will only reward the first person to responsibly report a vulnerability to us. When duplicates occur, we triage the first report that was received (provided that it can be fully reproduced). Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. When appropriate, Dynatrace will try to explain why the report is not eligible for a reward.\n\nHigh quality reports generally qualify for a **$50 bonus**, awarded at the discretion of the handling team member. A high quality report is concise, contains all necessary information, includes an accurate severity rating, and provides a clear and actionable proof-of-concept. Reports that are bloated with irrelevant information, exaggerate or twist findings to appear more severe, or rely heavily on AI-generated content with little researcher input will likely not qualify for the bonus.\n\n​\n\n# Exclusions and Out-of-Scope Vulnerabilities\n\nWhen reporting vulnerabilities, please consider the (1) attack scenario/exploitability, and (2) security impact of the issue. Reports that solely indicate a lack of possible security defenses are excluded from this Program. The following issues are considered out of scope: \n\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n- CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n**GitHub repositories.** Only reporters with at least **150 reputation** are eligible to submit reports for assets in this scope. This requirement is in place due to a recent increase in low-effort, AI-generated reports that do not meet our quality standards. Reports submitted below this threshold will be automatically closed as Informative without review.\n\nYou must abide by this scope. We do not offer rewards for out-of-scope vulnerabilities or excluded submission types.\n\n​\n\n# Program Rules and Conditions\nAs with most vulnerability disclosure programs, there are some requirements and restrictions that apply to our Program. If you have any questions, please reach out to [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n- Only use the account you have requested via our HackerOne signup for testing purposes. Do not attempt to compromise or otherwise gain access to an account you do not own.\n- Do not bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Submit a report for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Explain your finding as detailed as possible. Provide reproducible steps and use screenshots or a screen recording to demonstrate your proof-of-concept.\n- We're fine with AI tools being part of your workflow, and so is HackerOne's [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct). But if it's clear that little to no effort went into a submission, don't expect much effort in return. Low-effort, AI-generated submissions without a meaningful, product-relevant proof-of-concept, or unverified claims will be closed without detailed feedback.\n- Follow HackerOne’s vulnerability disclosure guidelines. Please note that this Policy supersedes those guidelines in the event of a conflict.\n- Comply with applicable federal, state, local, and international laws in connection with your participation in this Program. Do not engage in any activity that constitutes a criminal offense, infringes intellectual property rights, or violates any law or contract, including our [Terms of Use](https://www.dynatrace.com/company/trust-center/terms-of-use/).\n- Use a proof of concept only to demonstrate an issue. Do not exploit a vulnerability you discovered for any reason, including accessing, modifying, deleting, copying, downloading, acquiring, or otherwise processing any confidential, propriety, or personal information accessible as a result of a vulnerability. If you inadvertently engage in any such activity, please stop testing and contact us immediately. If you obtain a copy of any Dynatrace data inadvertently or in violation of this Policy, you agree to return all such copies to us and not retain any copy thereof.\n- You may not adversely impact the confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, suppliers, or other third parties. This includes: (i) damaging, disrupting, or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; or (iii) extracting or publishing data belonging to Dynatrace customers.\n\n- In connection with your participation in the Program, you may not do any of the following:\n  - Engage in any activity that results in unauthorized access to or destruction of systems or data (excluding test data) or interrupts or degrades services (such as denial of service attacks).\n  - Access another user’s account or device without authorization (such as through credentials that have been published online), trade stolen user credentials, intercept or eavesdrop on communications, or engage in any form of other privacy violations.\n  - Use automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform.\n  - Send unsolicited or unauthorized junk mail or spam.\n  - Impersonate or misrepresent your affiliation with another person or entity.\n  - Engage in social engineering (including phishing, vishing, and smishing).\n  - Send or spread any malicious software or other materials that could cause harm, disruption, or compromise.\n  - Attempt to gain physical access to any of our offices or facilities or take any physical action against property or data centers used by Dynatrace, its customers, or suppliers.\n  - Engage in subdomain takeovers.\n- Do not use illegal software. Participants are solely responsible for the tools they use.\n\n​\n\n# Program Eligibility\nTo participate in our Program, you must be a security researcher who is at least eighteen (18) years of age. In connection with your participation in the Program, you agree to comply with all applicable laws and regulations.\n\nYou are not eligible to participate in our Program if:\n- You are a current or former Dynatrace employee or service provider or are an immediate \nfamily member of one of our employees or service providers.\n- You or someone you work for is a person or entity who appears on any sanctions list maintained by the United States, European Union, United Kingdom, or United Nations.\n- You reside or otherwise are located in a country on those sanctions lists (such as Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).\n​\n\n# Vulnerability Disclosures\n- All information disclosed to us about vulnerabilities (including resolved ones) is intended to be provided privately to Dynatrace.\n- You agree to treat all information about vulnerabilities disclosed to us through the  program as confidential and not share the information with others, unless we have  provided our prior written consent to allow you to disclose the information to a third  party or the public.\n- Dynatrace will determine, in its sole discretion, whether public recognition for resolved vulnerabilities will be provided. In doing so, we will take into consideration, among other factors, whether you complied with this Policy and the contribution to the security community.\n- Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded.\n\n​\n\n# Ownership\nAs described in the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder-2023), you grant us a perpetual, irrevocable, non-exclusive, transferable, sublicensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of any information made available to us in connection with our Program for any purpose.\n\nThis Program is not an offer of employment. Nothing in this Policy is intended to render Dynatrace and you as joint venturers, partners, or employer and employee.\n\n​\n\n# Rewards, Modification and Termination\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating this Policy, are not eligible for a bounty and will result in immediate disqualification from the Program. Dynatrace may, in our sole discretion, terminate or suspend your participation in the Program for any reason and without prior notice to you.\n\nDynatrace reserves the right to discontinue this Program and to change any aspect of the Program or its terms at any time without prior notification. Once the updated Policy has been posted, your continued participation in our Program will constitute your acceptance of any modification or update made by us. All decisions regarding reward payments are final. The rules of this Program or any communication related thereto do not provide or imply any obligations to Dynatrace of any kind.\n\n​\n\n# Safe Harbor\nThe intent of this Program is to encourage coordinated and responsible disclosure. Unless required by law or law enforcement authorities, we do not intend to initiate any legal action against you if you comply with this Policy. Dynatrace reserves all legal rights in the event of any noncompliance.\n\nIf your security research involves the networks, systems, data, products, or services of another party, that third party may determine whether to pursue legal action. We cannot and do not authorize security research involving other entities.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n​\n\n# Limitation of Liability\nIN NO EVENT WILL WE BE LIABLE TO YOU FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, OR LOST REVENUES OR PROFITS, ARISING OUT OF OR RELATED TO YOUR PARTICIPATION IN THE PROGRAM, WHETHER BASED ON WARRANTY, CONTRACT, OR ANY OTHER LEGAL THEORY AND WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS DO NOT ALLOW FOR THE EXCLUSION OF DAMAGES, OUR LIABILITY IN SUCH JURISDICTIONS WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY THE LAWS OF SUCH JURISDICTION.\n\n​\n​\n\n# Useful tips for the setup\n\n---\n\n​\n\n## Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and to help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n​\n\n## OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way, you can see some data in your environment.\n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n​\n\n## EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions and download links: \n- [EasyTravel installation, download and integration](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n- [EasyTravel docker installation](https://github.com/Dynatrace/easyTravel-Docker)\n- [EasyTrade installation and download](https://github.com/Dynatrace/easytrade)\n- [How to integrate EasyTrade into your testing environment](https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case)\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this Program!*\n\n​\n\n## ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nFor more information, visit the [ActiveGate documentation](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate), or refer to the [installation guide](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation).\n\n​\n\n## How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. Once you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nBy default, you will be automatically redirected from your 2nd to your 3rd gen environment. You can disable this redirection by following these steps: \n1. Access your Dynatrace Platform environment: `*.sprint.apps.dynatracelabs.com`\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"Latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n​\n\n## Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-27T05:08:33.747Z"},{"id":3773074,"new_policy":"# Dynatrace's Bug Bounty Program\n\nWe reward security researchers who help keep our platform secure by discovering and responsibly disclosing vulnerabilities. Our bug bounty program offers rewards up to $10,000. High quality reports generally qualify for a **$50 bonus**, awarded at the discretion of the handling team member. *For more information see **Program Rewards**.*\n\nYour participation in our vulnerability disclosure program is voluntary and subject to the terms and conditions set forth in this Policy and the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder-2023), including the [HackerOne Disclosure Guidelines](https://www.hackerone.com/terms/disclosure-guidelines). Any violation of this Policy may result in ineligibility for a reward and/or removal from the Program.\n\n​\n\n# How to get your testing environment\nTo get your testing environment, follow these steps:\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your `@wearehackerone.com` email address for signup.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n6. *For setup tips and useful resources, check out the **Useful tips for the setup** section at the bottom of this page.*\n\n​\n\n# Program Rewards\nBy participating in the Program, you may be eligible to receive a monetary reward for qualifying vulnerabilities reported in accordance with this Policy. To be eligible for a reward:\n- You must report a qualifying vulnerability through HackerOne\n- You must be the first person to report the vulnerability\n- We must determine that the vulnerability is valid and not previously known by us\n- You must comply with this Policy\n\nRewards will be determined by Dynatrace in its sole discretion. If we decide to provide a reward, we will determine the payment amount based on our assessment of the risk and severity of the vulnerability and other factors, such as its uniqueness. You are responsible for the payment of all applicable taxes related to the rewards you receive in connection with the Program.\n\nWe will only reward the first person to responsibly report a vulnerability to us. When duplicates occur, we triage the first report that was received (provided that it can be fully reproduced). Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. When appropriate, Dynatrace will try to explain why the report is not eligible for a reward.\n\nHigh quality reports generally qualify for a **$50 bonus**, awarded at the discretion of the handling team member. A high quality report is concise, contains all necessary information, includes an accurate severity rating, and provides a clear and actionable proof-of-concept. Reports that are bloated with irrelevant information, exaggerate or twist findings to appear more severe, or rely heavily on AI-generated content with little researcher input will likely not qualify for the bonus.\n\n​\n\n# Exclusions and Out-of-Scope Vulnerabilities\n\nWhen reporting vulnerabilities, please consider the (1) attack scenario/exploitability, and (2) security impact of the issue. Reports that solely indicate a lack of possible security defenses are excluded from this Program. The following issues are considered out of scope: \n\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n- CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n**GitHub repositories.** Only reporters with at least **150 reputation** are eligible to submit reports for assets in this scope. This requirement is in place due to a recent increase in low-effort, AI-generated reports that do not meet our quality standards. Reports submitted below this threshold will be automatically closed as Informative without review.\n\nYou must abide by this scope. We do not offer rewards for out-of-scope vulnerabilities or excluded submission types.\n\n​\n\n# Program Rules and Conditions\nAs with most vulnerability disclosure programs, there are some requirements and restrictions that apply to our Program. If you have any questions, please reach out to [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n- Only use the account you have requested via our HackerOne signup for testing purposes. Do not attempt to compromise or otherwise gain access to an account you do not own.\n- Do not bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Submit a report for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Explain your finding as detailed as possible. Provide reproducible steps and use screenshots or a screen recording to demonstrate your proof-of-concept.\n- We're fine with AI tools being part of your workflow, and so is HackerOne's [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct). But if it's clear that little to no effort went into a submission, don't expect much effort in return. Low-effort, AI-generated submissions without a meaningful, product-relevant proof-of-concept, or unverified claims will be closed without detailed feedback.\n- Follow HackerOne’s vulnerability disclosure guidelines. Please note that this Policy supersedes those guidelines in the event of a conflict.\n- Comply with applicable federal, state, local, and international laws in connection with your participation in this Program. Do not engage in any activity that constitutes a criminal offense, infringes intellectual property rights, or violates any law or contract, including our [Terms of Use](https://www.dynatrace.com/company/trust-center/terms-of-use/).\n- Use a proof of concept only to demonstrate an issue. Do not exploit a vulnerability you discovered for any reason, including accessing, modifying, deleting, copying, downloading, acquiring, or otherwise processing any confidential, propriety, or personal information accessible as a result of a vulnerability. If you inadvertently engage in any such activity, please stop testing and contact us immediately. If you obtain a copy of any Dynatrace data inadvertently or in violation of this Policy, you agree to return all such copies to us and not retain any copy thereof.\n- You may not adversely impact the confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, suppliers, or other third parties. This includes: (i) damaging, disrupting, or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; or (iii) extracting or publishing data belonging to Dynatrace customers.\n\n- In connection with your participation in the Program, you may not do any of the following:\n  - Engage in any activity that results in unauthorized access to or destruction of systems or data (excluding test data) or interrupts or degrades services (such as denial of service attacks).\n  - Access another user’s account or device without authorization (such as through credentials that have been published online), trade stolen user credentials, intercept or eavesdrop on communications, or engage in any form of other privacy violations.\n  - Use automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform.\n  - Send unsolicited or unauthorized junk mail or spam.\n  - Impersonate or misrepresent your affiliation with another person or entity.\n  - Engage in social engineering (including phishing, vishing, and smishing).\n  - Send or spread any malicious software or other materials that could cause harm, disruption, or compromise.\n  - Attempt to gain physical access to any of our offices or facilities or take any physical action against property or data centers used by Dynatrace, its customers, or suppliers.\n  - Engage in subdomain takeovers.\n- Do not use illegal software. Participants are solely responsible for the tools they use.\n\n​\n\n# Program Eligibility\nTo participate in our Program, you must be a security researcher who is at least eighteen (18) years of age. In connection with your participation in the Program, you agree to comply with all applicable laws and regulations.\n\nYou are not eligible to participate in our Program if:\n- You are a current or former Dynatrace employee or service provider or are an immediate \nfamily member of one of our employees or service providers.\n- You or someone you work for is a person or entity who appears on any sanctions list maintained by the United States, European Union, United Kingdom, or United Nations.\n- You reside or otherwise are located in a country on those sanctions lists (such as Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).\n​\n\n# Vulnerability Disclosures\n- All information disclosed to us about vulnerabilities (including resolved ones) is intended to be provided privately to Dynatrace.\n- You agree to treat all information about vulnerabilities disclosed to us through the  program as confidential and not share the information with others, unless we have  provided our prior written consent to allow you to disclose the information to a third  party or the public.\n- Dynatrace will determine, in its sole discretion, whether public recognition for resolved vulnerabilities will be provided. In doing so, we will take into consideration, among other factors, whether you complied with this Policy and the contribution to the security community.\n- Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded.\n\n​\n\n# Ownership\nAs described in the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder-2023), you grant us a perpetual, irrevocable, non-exclusive, transferable, sublicensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of any information made available to us in connection with our Program for any purpose.\n\nThis Program is not an offer of employment. Nothing in this Policy is intended to render Dynatrace and you as joint venturers, partners, or employer and employee.\n\n​\n\n# Rewards, Modification and Termination\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating this Policy, are not eligible for a bounty and will result in immediate disqualification from the Program. Dynatrace may, in our sole discretion, terminate or suspend your participation in the Program for any reason and without prior notice to you.\n\nDynatrace reserves the right to discontinue this Program and to change any aspect of the Program or its terms at any time without prior notification. Once the updated Policy has been posted, your continued participation in our Program will constitute your acceptance of any modification or update made by us. All decisions regarding reward payments are final. The rules of this Program or any communication related thereto do not provide or imply any obligations to Dynatrace of any kind.\n\n​\n\n# Safe Harbor\nThe intent of this Program is to encourage coordinated and responsible disclosure. Unless required by law or law enforcement authorities, we do intend to initiate any legal action against you if you comply with this Policy. Dynatrace reserves all legal rights in the event of any noncompliance.\n\nIf your security research involves the networks, systems, data, products, or services of another party, that third party may determine whether to pursue legal action. We cannot and do not authorize security research involving other entities.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n​\n\n# Limitation of Liability\nIN NO EVENT WILL WE BE LIABLE TO YOU FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, OR LOST REVENUES OR PROFITS, ARISING OUT OF OR RELATED TO YOUR PARTICIPATION IN THE PROGRAM, WHETHER BASED ON WARRANTY, CONTRACT, OR ANY OTHER LEGAL THEORY AND WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS DO NOT ALLOW FOR THE EXCLUSION OF DAMAGES, OUR LIABILITY IN SUCH JURISDICTIONS WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY THE LAWS OF SUCH JURISDICTION.\n\n​\n​\n\n# Useful tips for the setup\n\n---\n\n​\n\n## Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and to help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n​\n\n## OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way, you can see some data in your environment.\n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n​\n\n## EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions and download links: \n- [EasyTravel installation, download and integration](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n- [EasyTravel docker installation](https://github.com/Dynatrace/easyTravel-Docker)\n- [EasyTrade installation and download](https://github.com/Dynatrace/easytrade)\n- [How to integrate EasyTrade into your testing environment](https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case)\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this Program!*\n\n​\n\n## ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nFor more information, visit the [ActiveGate documentation](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate), or refer to the [installation guide](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation).\n\n​\n\n## How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. Once you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nBy default, you will be automatically redirected from your 2nd to your 3rd gen environment. You can disable this redirection by following these steps: \n1. Access your Dynatrace Platform environment: `*.sprint.apps.dynatracelabs.com`\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"Latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n​\n\n## Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-24T09:10:36.378Z"},{"id":3773042,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n\n# Program Rules\n- If you have any questions, please reach out to bugbounty@dynatrace.com\n- Only use the account you have requested via our HackerOne signup. \n- Don't cause any privacy violations, destruction of data (excluding test data), degradation or disruption of Dynatrace services. \n-  Don't cause any adverse impact to Dynatrace customers or suppliers. \n- Don’t bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Create a report on HackerOne for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. \n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current and former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. Dynatrace will do its best to explain in each case why the report is not eligible for a reward.\n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations. \n\nYou may not participate in this program if you are subject to sanctions by the United States, the European Union, or the United Kingdom.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine). \n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [HackerOne’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in the Dynatrace bug bounty program.\n\n# Exclusions\n\nDo not engage in the following: \n- Denial of Service attacks\n- Unauthorized account access (including through credentials that have been published on the internet, such as on the Darknet or Telegram). \n- The use of automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform. \n- Spamming\n- Social engineering (including phishing) against Dynatrace, its customers, or suppliers. \n- Any physical action against property or data centers used by Dynatrace, its customers, or suppliers\n- Subdomain Takeovers\n\nReports that solely indicate a lack of possible security defenses are excluded from this program.  This includes:\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations.  \n\nYou may not participate in this program if you are subject to sanctions by the United States, the European Union, or the United Kingdom. You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).  \n\nYou may not adversely impact confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, or suppliers.  This includes: (i) disrupting or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; and (iii) extracting or publishing data belonging to Dynatrace customers.\n\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating these guidelines, are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and to change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nDynatrace’s collection, processing, and use of your information is described in [Dynatrace Privacy Notice.](https://www.dynatrace.com/company/trust-center/privacy/)\n\nThank you for helping keep Dynatrace and our customers safe!\n\n\n---\n\n​\n\n# Useful tips for the setup\n\n## Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n## OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n## EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions \u0026 download links: \n- [EasyTravel installation, download \u0026 integration](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n- [EasyTravel docker installation](https://github.com/Dynatrace/easyTravel-Docker)\n- [EasyTrade installation \u0026 download](https://github.com/Dynatrace/easytrade)\n- [How to integrate EasyTrade into your testing environment](https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case)\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this program!*\n\n## ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nFor more information, visit the [ActiveGate documentation](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate), or refer to the [installation guide](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation).\n\n\n## How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. Once you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nBy default, you will be automatically redirected from your 2nd to your 3rd gen environment. You can disable this redirection by following these steps: \n1. Access your Dynatrace Platform environment: `*.sprint.apps.dynatracelabs.com`\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"Latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n## Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-23T11:43:41.901Z"},{"id":3773040,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n\n# Program Rules\n- If you have any questions, please reach out to bugbounty@dynatrace.com\n- Only use the account you have requested via our HackerOne signup. \n- Don't cause any privacy violations, destruction of data (excluding test data), degradation or disruption of Dynatrace services. \n-  Don't cause any adverse impact to Dynatrace customers or suppliers. \n- Don’t bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Create a report on HackerOne for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. \n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current and former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. Dynatrace will do its best to explain in each case why the report is not eligible for a reward.\n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations. \n\nYou may not participate in this program if you are subject to sanctions by the United States, European Union, or United Kingdom.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine). \n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [HackerOne’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in the Dynatrace bug bounty program.\n\n# Exclusions\n\nDo not engage in the following: \n- Denial of Service attacks\n- Unauthorized account access (including through credentials that have been published on the internet, such as on the Darknet or Telegram). \n- The use of automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform. \n- Spamming\n- Social engineering (including phishing) against Dynatrace, its customers, or suppliers. \n- Any physical action against property or data centers used by Dynatrace, its customers, or suppliers\n- Subdomain Takeovers\n\nReports that solely indicate a lack of possible security defenses are excluded from this program.  This includes:\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations.  \n\nYou may not participate in this program if you are subject to sanctions by the United States, the United Kingdom, or the European Union.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).  \n\nYou may not adversely impact confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, or suppliers.  This includes: (i) disrupting or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; and (iii) extracting or publishing data belonging to Dynatrace customers.\n\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating these guidelines, are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and to change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nDynatrace’s collection, processing, and use of your information is described in [Dynatrace Privacy Notice.](https://www.dynatrace.com/company/trust-center/privacy/)\n\nThank you for helping keep Dynatrace and our customers safe!\n\n\n---\n\n​\n\n# Useful tips for the setup\n\n## Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n## OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n## EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions \u0026 download links: \n- [EasyTravel installation, download \u0026 integration](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n- [EasyTravel docker installation](https://github.com/Dynatrace/easyTravel-Docker)\n- [EasyTrade installation \u0026 download](https://github.com/Dynatrace/easytrade)\n- [How to integrate EasyTrade into your testing environment](https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case)\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this program!*\n\n## ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nFor more information, visit the [ActiveGate documentation](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate), or refer to the [installation guide](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation).\n\n\n## How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. Once you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nBy default, you will be automatically redirected from your 2nd to your 3rd gen environment. You can disable this redirection by following these steps: \n1. Access your Dynatrace Platform environment: `*.sprint.apps.dynatracelabs.com`\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"Latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n## Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-23T11:02:26.053Z"},{"id":3773038,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n\n# Program Rules\n- If you have any questions, please reach out to bugbounty@dynatrace.com\n- Only use the account you have requested via our HackerOne signup. \n- Don't cause any privacy violations, destruction of data (excluding test data), degradation or disruption of Dynatrace services. \n-  Don't cause any adverse impact to Dynatrace customers or suppliers. \n- Don’t bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Create a report on HackerOne for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. \n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current and former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. Dynatrace will do its best to explain in each case why the report is not eligible for a reward. \n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations. \n\nYou may not participate in this program if you are subject to sanctions by the United States, European Union, or United Kingdom.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine). \n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [HackerOne’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in the Dynatrace bug bounty program.\n\n# Exclusions\n\nDo not engage in the following: \n- Denial of Service attacks\n- Unauthorized account access (including through credentials that have been published on the internet, such as on the Darknet or Telegram). \n- The use of automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform. \n- Spamming\n- Social engineering (including phishing) against Dynatrace, its customers, or suppliers. \n- Any physical action against property or data centers used by Dynatrace, its customers, or suppliers\n- Subdomain Takeovers\n\nReports that solely indicate a lack of possible security defenses are excluded from this program.  This includes:\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations.  \n\nYou may not participate in this program if you are subject to sanctions by the United States, the United Kingdom, or the European Union.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).  \n\nYou may not adversely impact confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, or suppliers.  This includes: (i) disrupting or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; and (iii) extracting or publishing data belonging to Dynatrace customers.\n\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating these guidelines, are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and to change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nDynatrace’s collection, processing, and use of your information is described in [Dynatrace Privacy Notice.](https://www.dynatrace.com/company/trust-center/privacy/)\n\nThank you for helping keep Dynatrace and our customers safe!\n\n\n# Useful tips for the setup\n\n---\n\n## Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n## OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n## EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions \u0026 download links: \n- [EasyTravel installation, download \u0026 integration](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n- [EasyTravel docker installation](https://github.com/Dynatrace/easyTravel-Docker)\n- [EasyTrade installation \u0026 download](https://github.com/Dynatrace/easytrade)\n- [How to integrate EasyTrade into your testing environment](https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case)\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this program!*\n\n## ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n## How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done, you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n## Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-23T09:31:24.098Z"},{"id":3773037,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n\n# Program Rules\n- If you have any questions, please reach out to bugbounty@dynatrace.com\n- Only use the account you have requested via our HackerOne signup. \n- Don't cause any privacy violations, destruction of data (excluding test data), degradation or disruption of Dynatrace services. \n-  Don't cause any adverse impact to Dynatrace customers or suppliers. \n- Don’t bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Create a report on HackerOne for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. \n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current and former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. Dynatrace will do its best to explain in each case why the report is not eligible for a reward. \n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations. \n\nYou may not participate in this program if you are subject to sanctions by the United States, European Union, or United Kingdom.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine). \n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [HackerOne’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in the Dynatrace bug bounty program.\n\n# Exclusions\n\nDo not engage in the following: \n- Denial of Service attacks\n- Unauthorized account access (including through credentials that have been published on the internet, such as on the Darknet or Telegram). \n- The use of automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform. \n- Spamming\n- Social engineering (including phishing) against Dynatrace, its customers, or suppliers. \n- Any physical action against property or data centers used by Dynatrace, its customers, or suppliers\n- Subdomain Takeovers\n\nReports that solely indicate a lack of possible security defenses are excluded from this program.  This includes:\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations.  \n\nYou may not participate in this program if you are subject to sanctions by the United States, the United Kingdom, or the European Union.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).  \n\nYou may not adversely impact confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, or suppliers.  This includes: (i) disrupting or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; and (iii) extracting or publishing data belonging to Dynatrace customers.\n\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating these guidelines, are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and to change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nDynatrace’s collection, processing, and use of your information is described in [Dynatrace Privacy Notice.](https://www.dynatrace.com/company/trust-center/privacy/)\n\nThank you for helping keep Dynatrace and our customers safe!\n\n# Useful tips for the setup\n\n### Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n### OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n### EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions \u0026 download links: \n- EasyTravel installation, download \u0026 integration:\n   https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271\n- EasyTravel docker installation: https://github.com/Dynatrace/easyTravel-Docker\n- EasyTrade installation \u0026 download: https://github.com/Dynatrace/easytrade\n- How to integrate EasyTrade into your testing environment: https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this program!*\n\n### ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n### How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done, you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n### Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-23T09:25:07.076Z"},{"id":3757576,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n\n# Program Rules\n- If you have any questions, please reach out to bugbounty@dynatrace.com\n- Only use the account you have requested via our HackerOne signup. \n- Don't cause any privacy violations, destruction of data (excluding test data), degradation or disruption of Dynatrace services. \n-  Don't cause any adverse impact to Dynatrace customers or suppliers. \n- Don’t bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Create a report on HackerOne for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. \n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current and former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. Dynatrace will do its best to explain in each case why the report is not eligible for a reward. \n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations. \n\nYou may not participate in this program if you are subject to sanctions by the United States, European Union, or United Kingdom.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine). \n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [HackerOne’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in the Dynatrace bug bounty program.\n\n# Exclusions\n\nDo not engage in the following: \n- Denial of Service attacks\n- Unauthorized account access (including through credentials that have been published on the internet, such as on the Darknet or Telegram). \n- The use of automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform. \n- Spamming\n- Social engineering (including phishing) against Dynatrace, its customers, or suppliers. \n- Any physical action against property or data centers used by Dynatrace, its customers, or suppliers\n- Subdomain Takeovers\n\nReports that solely indicate a lack of possible security defenses are excluded from this program.  This includes:\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations.  \n\nYou may not participate in this program if you are subject to sanctions by the United States, the United Kingdom, or the European Union.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).  \n\nYou may not adversely impact confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, or suppliers.  This includes: (i) disrupting or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; and (iii) extracting or publishing data belonging to Dynatrace customers.\n\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating these guidelines, are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and to change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nDynatrace’s collection, processing, and use of your information is described in [Dynatrace Privacy Notice.](https://www.dynatrace.com/company/trust-center/privacy/)\n\nThank you for helping keep Dynatrace and our customers safe!\n\n# Useful tips for the setup\n\n### Getting Started\nHere is some documentation that we also provide to our external penetration testers. The following PDF files are intended to give you a brief overview of our product and help you get started. Additionally, we’ve included several attack scenarios that we believe are particularly relevant and worth exploring.\n- {F4458020}\n- {F4458021}\n\n### OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n### EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions \u0026 download links: \n- EasyTravel installation, download \u0026 integration: https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271\n- EasyTravel docker installation: https://github.com/Dynatrace/easyTravel-Docker\n- EasyTrade installation \u0026 download: https://github.com/Dynatrace/easytrade\n- How to integrate EasyTrade into your testing environment: https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this program!*\n\n### ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n### How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done, you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n### Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-16T09:16:17.535Z"},{"id":3754321,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any questions, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com). Please reach out before engaging in any conduct that may be inconsistent with or unaddressed by these guidelines.\n\n# Program Rules\n- If you have any questions, please reach out to bugbounty@dynatrace.com\n- Only use the account you have requested via our HackerOne signup. \n- Don't cause any privacy violations, destruction of data (excluding test data), degradation or disruption of Dynatrace services. \n-  Don't cause any adverse impact to Dynatrace customers or suppliers. \n- Don’t bulk create additional accounts within MyAccount (our account management portal). Only create a small number of accounts with different permissions to test privilege escalation.\n- Create a report on HackerOne for each vulnerability, unless exploitation works only by chaining multiple vulnerabilities together. \n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current and former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace retains sole discretion on whether to designate a report as duplicate or not applicable. Dynatrace will do its best to explain in each case why the report is not eligible for a reward. \n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations. \n\nYou may not participate in this program if you are subject to sanctions by the United States, European Union, or United Kingdom.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine). \n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [HackerOne’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in the Dynatrace bug bounty program.\n\n# Exclusions\n\nDo not engage in the following: \n- Denial of Service attacks\n- Unauthorized account access (including through credentials that have been published on the internet, such as on the Darknet or Telegram). \n- The use of automated tools to generate significant traffic (apart from easyTravel \u0026 easyTrade, which are mentioned under Setup), which may affect the availability of our platform. \n- Spamming\n- Social engineering (including phishing) against Dynatrace, its customers, or suppliers. \n- Any physical action against property or data centers used by Dynatrace, its customers, or suppliers\n- Subdomain Takeovers\n\nReports that solely indicate a lack of possible security defenses are excluded from this program.  This includes:\n- Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF vulnerability, please confirm that it can be reproduced after you log out, restart the browser, and log in again.\n- Login and logout CSRF.\n- Missing HTTP security headers that don’t directly contribute to a vulnerability.\n- Host header injections (we require evidence showing how these can lead to the theft of user data).\n- Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n- Self-XSS (we require evidence showing how XSS can be used to attack another user).\n- Missing flags on non-sensitive cookies.\n- Reports from automated tools or vulnerability scanners.\n- Reports of insecure SSL/TLS ciphers or outdated certificates.\n- Reports of insecure DNS and server configurations (e.g. open ports).\n- Credentials that have been posted on the Internet (e.g., the Darknet, Telegram, etc.)\n- Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n- Password, email and account policies.\n- Presence/absence of DKIM/SPF/DMARC records.\n- CSP (Content-Security-Policy) issues.\n- Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program, you agree to comply with all applicable laws and regulations.  \n\nYou may not participate in this program if you are subject to sanctions by the United States, the United Kingdom, or the European Union.  You also may not participate if you are a resident or an individual located in a country that is subject to comprehensive or near-comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia, Belarus, Venezuela, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine).  \n\nYou may not adversely impact confidentiality, integrity, or availability of data or services belonging to Dynatrace, its customers, or suppliers.  This includes: (i) disrupting or degrading Dynatrace’s products and service to its customers; (ii) modifying or corrupting Dynatrace programs or data to extract and publish information; and (iii) extracting or publishing data belonging to Dynatrace customers.\n\nVulnerabilities obtained by exploiting Dynatrace employees, customers, or suppliers, or by otherwise violating these guidelines, are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and to change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nDynatrace’s collection, processing, and use of your information is described in [Dynatrace Privacy Notice.](https://www.dynatrace.com/company/trust-center/privacy/)\n\nThank you for helping keep Dynatrace and our customers safe!\n\n# Useful tips for the setup\n\n### OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n### EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions \u0026 download links: \n- EasyTravel installation, download \u0026 integration: https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271\n- EasyTravel docker installation: https://github.com/Dynatrace/easyTravel-Docker\n- EasyTrade installation \u0026 download: https://github.com/Dynatrace/easytrade\n- How to integrate EasyTrade into your testing environment: https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this program!*\n\n### ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n### How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done, you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIf you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n### Mobile Agent\nWith Dynatrace, it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nYou can find information on how to do this on our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-24T13:17:39.151Z"},{"id":3711401,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any inquiries, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n# Program Rules\n- If you have any questions, please reach out to bugbounty@dynatrace.com\n- Only use the account (including its credentials) provided to you by Dynatrace for testing purposes. Don’t share your account with other people.\n- Do your best to avoid any kind of privacy violations, destruction of data, or disruption of Dynatrace services.\n- Don’t bulk create additional accounts within MyAccount (our account management portal) - only create a small number of accounts with different permissions to test privilege escalation.\n- Create individual bugs on HackerOne for each finding, unless exploitation only works by chaining multiple small bugs together.\n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current or former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace will mark an issue as duplicate or not applicable in its sole discretion. Dynatrace will do its best to specify in each case, why the bug is not eligible for a reward.\n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program, you agree to comply with all applicable local and national laws. You may not participate in this program if you are a resident or an individual located in a country that is on a U.S. or E.U. sanctions list.\n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [HackerOne’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in the Dynatrace bug bounty program.\n\n# Exclusions\n\nWhile searching for security bugs, we ask you to refrain from:\n\n- Denial of Service attacks\n- Credential leaks found in the Darknet, Telegram or similar sources\n- Use of automated tools to generate significant traffic (apart from easyTravel, which is mentioned under Setup), which may affect the availability of our platform\n- Spamming\n- Social engineering (including phishing) of Dynatrace staff or contractors\n- Any physical action against Dynatrace property or data centers\n- Subdomain Takeovers\n- Reports that solely indicate a lack of possible security defenses, such as:\n    - Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n    - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF bug, please confirm that the bug can be reproduced after you log out, restart the browser, and log in again.\n    - Login and logout CSRF.\n    - Missing HTTP security headers that don’t directly contribute to a vulnerability.\n    - Host header injections (we require evidence showing how these can lead to the theft of user data).\n    - Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n    - Self-XSS (we require evidence showing how XSS can be used to attack another user).\n    - Missing flags on non-sensitive cookies.\n    - Reports from automated tools or vulnerability scanners.\n    - Reports of insecure SSL/TLS ciphers or outdated certificates.\n    - Reports of insecure DNS and server configurations (e.g. open ports).\n    - Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n    - Password, email and account policies.\n    - Presence/absence of DKIM/SPF/DMARC records.\n    - CSP (Content-Security-Policy) issues.\n    - Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program you agree to comply with all applicable local and national laws.\n\nYou may not participate in this program if you are a resident or an individual located in a country that is on a U.S. or E.U. sanctions list.\n\nYou may not destroy, steal, modify, damage, violate or otherwise jeopardize the privacy of any Dynatrace customer or Dynatrace data. This includes disrupting or degrading Dynatrace’s products and service to its customers.\n\nDynatrace does not permit or authorize you to extract information or content of Dynatrace customers or publicize this information or to modify or corrupt programs or data belonging to Dynatrace in order to extract and publicly disclose data belonging to Dynatrace. Vulnerabilities obtained by exploiting Dynatrace users, employees or otherwise violating this policy are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n\n# Useful tips for the setup\n\n### OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n### EasyTravel \u0026 EasyTrade\nEasyTravel \u0026 EasyTrade are demo applications which can help you to generate test data. Install it on the environment where you installed the OneAgent.\n\nHere are some links that contain more detailed instructions \u0026 download links: \n- EasyTravel installation, download \u0026 integration: https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271\n- EasyTravel docker installation: https://github.com/Dynatrace/easyTravel-Docker\n- EasyTrade installation \u0026 download: https://github.com/Dynatrace/easytrade\n- How to integrate EasyTrade into your testing environment: https://docs.dynatrace.com/docs/platform-modules/business-analytics/ba-end-to-end-use-case\n\n*Please keep in mind that EasyTravel \u0026 EasyTrade are out of scope of this program!*\n\n### ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n### How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIn case you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n### Mobile Agent\nWith Dynatrace it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nDetails on how to do this you can find in our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-24T13:28:31.097Z"},{"id":3711055,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any inquiries, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n# Program Rules\n- If you have any questions, please reach out to bugbounty@dynatrace.com\n- Only use the account (including its credentials) provided to you by Dynatrace for testing purposes. Don’t share your account with other people.\n- Do your best to avoid any kind of privacy violations, destruction of data, or disruption of Dynatrace services.\n- Don’t bulk create additional accounts within MyAccount (our account management portal) - only create a small number of accounts with different permissions to test privilege escalation.\n- Create individual bugs on HackerOne for each finding, unless exploitation only works by chaining multiple small bugs together.\n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current or former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace will mark an issue as duplicate or not applicable in its sole discretion. Dynatrace will do its best to specify in each case, why the bug is not eligible for a reward.\n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program, you agree to comply with all applicable local and national laws. You may not participate in this program if you are a resident or an individual located in a country that is on a U.S. or E.U. sanctions list.\n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [HackerOne’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in the Dynatrace bug bounty program.\n\n# Exclusions\n\nWhile searching for security bugs, we ask you to refrain from:\n\n- Denial of Service attacks\n- Use of automated tools to generate significant traffic (apart from easyTravel, which is mentioned under Setup), which may affect the availability of our platform\n- Spamming\n- Social engineering (including phishing) of Dynatrace staff or contractors\n- Any physical action against Dynatrace property or data centers\n- Subdomain Takeovers\n- Reports that solely indicate a lack of possible security defenses, such as:\n    - Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n    - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF bug, please confirm that the bug can be reproduced after you log out, restart the browser, and log in again.\n    - Login and logout CSRF.\n    - Missing HTTP security headers that don’t directly contribute to a vulnerability.\n    - Host header injections (we require evidence showing how these can lead to the theft of user data).\n    - Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n    - Self-XSS (we require evidence showing how XSS can be used to attack another user).\n    - Missing flags on non-sensitive cookies.\n    - Reports from automated tools or vulnerability scanners.\n    - Reports of insecure SSL/TLS ciphers or outdated certificates.\n    - Reports of insecure DNS and server configurations (e.g. open ports).\n    - Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n    - Password, email and account policies.\n    - Presence/absence of DKIM/SPF/DMARC records.\n    - CSP (Content-Security-Policy) issues.\n    - Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program you agree to comply with all applicable local and national laws.\n\nYou may not participate in this program if you are a resident or an individual located in a country that is on a U.S. or E.U. sanctions list.\n\nYou may not destroy, steal, modify, damage, violate or otherwise jeopardize the privacy of any Dynatrace customer or Dynatrace data. This includes disrupting or degrading Dynatrace’s products and service to its customers.\n\nDynatrace does not permit or authorize you to extract information or content of Dynatrace customers or publicize this information or to modify or corrupt programs or data belonging to Dynatrace in order to extract and publicly disclose data belonging to Dynatrace. Vulnerabilities obtained by exploiting Dynatrace users, employees or otherwise violating this policy are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n\n# Useful tips for the setup\n\n### OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n### EasyTravel\nEasyTravel is a demo application which can help you to generate some data. Install it on the environment where you installed the OneAgent. \n\nA detailed instruction setup including the download link can be found [here](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n\n*Please keep in mind that EasyTravel is out of scope of this program!*\n\n### ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for different technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n### How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIn case you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n### Mobile Agent\nWith Dynatrace it is also possible to monitor mobile applications for Android and iOS. The setup process is different as it involves compiling, packaging and shipping a monitoring library together with your own mobile application package.\n\nDetails on how to do this you can find in our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-19T11:35:06.377Z"},{"id":3711054,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any inquiries, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n# Program Rules\n- In case you have questions please reach out to bugbounty@dynatrace.com\n- Only use the account (including its credentials) provided to you by Dynatrace for testing purposes. Don’t share your account with other people.\n- Do your best to avoid any kind of privacy violations, destruction of data or disruption of Dynatrace services.\n- Don’t bulk create additional accounts within account management (only create a small number of accounts with different permissions to test for privilege escalation).\n- Create individual bugs on Hackerone for each finding, unless exploitation only works by chaining multiple small bugs together.\n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current or former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace will mark an issue as duplicate or not applicable in its sole discretion. Dynatrace will do its best to specify in each case, why the bug is not eligible for a reward.\n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program you agree to comply with all applicable local and national laws. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.\n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [Hackerone’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in Dynatrace’s bug bounty program.\n\n# Exclusions\n\nWhile searching for security bugs, we ask you to refrain from:\n\n- Denial of service attacks\n- Using automated tools to generate significant traffic (apart from easyTravel mentioned under Setup) and possibly impair the function of our application\n- Spamming\n- Social engineering (including phishing) of Dynatrace staff or contractors\n- Any physical action against Dynatrace property or data centers\n- Subdomain Takeovers\n- Reports that solely indicate a lack of possible security defenses, such as:\n    - Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n    - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF bug, please confirm that the bug can be reproduced after you log out, restart the browser, and log in again.\n    - Login and logout CSRF.\n    - Missing HTTP security headers that don’t directly contribute to a vulnerability.\n    - Host header injections (we require evidence showing how these can lead to the theft of user data).\n    - Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n    - Self-XSS (we require evidence showing how XSS can be used to attack another user).\n    - Missing flags on non-sensitive cookies.\n    - Reports from automated tools or vulnerability scanners.\n    - Reports of insecure SSL/TLS ciphers or outdated certificates.\n    - Reports of insecure DNS and server configurations (e.g. open ports).\n    - Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n    - Password, email and account policies.\n    - Presence/absence of DKIM/SPF/DMARC records.\n    - CSP (Content-Security-Policy) issues.\n    - Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program you agree to comply with all applicable local and national laws.\n\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.\n\nYou may not destroy, steal, modify, damage, violate or otherwise jeopardize the privacy of any Dynatrace customer or Dynatrace data. This includes disrupting or degrading Dynatrace’s products and service to its customers.\n\nDynatrace does not permit or authorize you to extract information or content of Dynatrace customers or publicize this information or to modify or corrupt programs or data belonging to Dynatrace in order to extract and publicly disclose data belonging to Dynatrace. Vulnerabilities obtained by exploiting Dynatrace users, employees or otherwise violating this policy are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n\n# Useful tips for the setup\n\n### OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n### EasyTravel\nEasyTravel is a demo application which can help you to generate some data. Install it on the environment where you installed the OneAgent. \n\nA detailed instruction setup including the download link can be found [here](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n\n*Please keep in mind that EasyTravel is out of scope of this program!*\n\n### ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for various technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n### How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIn case you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n### Mobile Agent\nWith Dynatrace it is also possible to monitor mobile applications for Android and iOS. The setup process is different because it involves the compilation, packaging, and shipment of a monitoring library along with your own mobile application package.\n\nDetails on how to do this you can find in our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-19T11:24:23.611Z"},{"id":3710812,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @wearehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any inquiries, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n# Program Rules\n- In case you have questions please reach out to bugbounty@dynatrace.com\n- Only use the account (including its credentials) provided to you by Dynatrace for testing purposes. Don’t share your account with other people.\n- Do your best to avoid any kind of privacy violations, destruction of data or disruption of Dynatrace services.\n- Don’t bulk create additional accounts within account management (only create a small number of accounts with different permissions to test for privilege escalation).\n- Create individual bugs on Hackerone for each finding, unless exploitation only works by chaining multiple small bugs together.\n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current or former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace will mark an issue as duplicate or not applicable in its sole discretion. Dynatrace will do its best to specify in each case, why the bug is not eligible for a reward.\n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program you agree to comply with all applicable local and national laws. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.\n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [Hackerone’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in Dynatrace’s bug bounty program.\n\n# Exclusions\n\nWhile searching for security bugs, we ask you to refrain from:\n\n- Denial of service attacks\n- Using automated tools to generate significant traffic (apart from easyTravel mentioned under Setup) and possibly impair the function of our application\n- Spamming\n- Social engineering (including phishing) of Dynatrace staff or contractors\n- Any physical action against Dynatrace property or data centers\n- Subdomain Takeovers\n- Reports that solely indicate a lack of possible security defenses, such as:\n    - Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n    - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF bug, please confirm that the bug can be reproduced after you log out, restart the browser, and log in again.\n    - Login and logout CSRF.\n    - Missing HTTP security headers that don’t directly contribute to a vulnerability.\n    - Host header injections (we require evidence showing how these can lead to the theft of user data).\n    - Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n    - Self-XSS (we require evidence showing how XSS can be used to attack another user).\n    - Missing flags on non-sensitive cookies.\n    - Reports from automated tools or vulnerability scanners.\n    - Reports of insecure SSL/TLS ciphers or outdated certificates.\n    - Reports of insecure DNS and server configurations (e.g. open ports).\n    - Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n    - Password, email and account policies.\n    - Presence/absence of DKIM/SPF/DMARC records.\n    - CSP (Content-Security-Policy) issues.\n    - Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program you agree to comply with all applicable local and national laws.\n\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.\n\nYou may not destroy, steal, modify, damage, violate or otherwise jeopardize the privacy of any Dynatrace customer or Dynatrace data. This includes disrupting or degrading Dynatrace’s products and service to its customers.\n\nDynatrace does not permit or authorize you to extract information or content of Dynatrace customers or publicize this information or to modify or corrupt programs or data belonging to Dynatrace in order to extract and publicly disclose data belonging to Dynatrace. Vulnerabilities obtained by exploiting Dynatrace users, employees or otherwise violating this policy are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n\n# Useful tips for the setup\n\n### OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n### EasyTravel\nEasyTravel is a demo application which can help you to generate some data. Install it on the environment where you installed the OneAgent. \n\nA detailed instruction setup including the download link can be found [here](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n\n*Please keep in mind that EasyTravel is out of scope of this program!*\n\n### ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for various technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n### How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIn case you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n### Mobile Agent\nWith Dynatrace it is also possible to monitor mobile applications for Andoid and iOS. The setup process is different because it involves the compilation, packaging, and shipment of a monitoring library along with your own mobile application package.\n\nDetails on how to do this you can find in our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-16T09:26:36.931Z"},{"id":3710492,"new_policy":"# How to get your testing environment\nTo get your testing environment, follow these steps:\n\n1. Visit this link: [https://www.dynatrace.com/signup/hackerone/](https://www.dynatrace.com/signup/hackerone/)\n2. Use your @werarehackerone.com email address for registration.\n3. You're allowed to sign up multiple times if needed, but please keep your testing accounts to a minimum. \n4. Each testing account you set up will be active for three months.\n5. If you have any inquiries, feel free to contact us at [bugbounty@dynatrace.com](mailto:bugbounty@dynatrace.com).\n\n# Program Rules\n- In case you have questions please reach out to bugbounty@dynatrace.com\n- Only use the account (including its credentials) provided to you by Dynatrace for testing purposes. Don’t share your account with other people.\n- Do your best to avoid any kind of privacy violations, destruction of data or disruption of Dynatrace services.\n- Don’t bulk create additional accounts within account management (only create a small number of accounts with different permissions to test for privilege escalation).\n- Create individual bugs on Hackerone for each finding, unless exploitation only works by chaining multiple small bugs together.\n- Explain your finding as detailed as possible. Use screenshots or a screen recording to demonstrate your proof-of-concept.\n- Current or former employees of Dynatrace are not eligible to participate in the program.\n- Dynatrace will mark an issue as duplicate or not applicable in its sole discretion. Dynatrace will do its best to specify in each case, why the bug is not eligible for a reward.\n\n# Eligibility and Responsible Disclosure\n\nIn connection with your participation in this program you agree to comply with all applicable local and national laws. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.\n\nWe will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Dynatrace to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.\n\nPlease make sure to have read [Hackerone’s vulnerability disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) before you start participating in Dynatrace’s bug bounty program.\n\n# Exclusions\n\nWhile searching for security bugs, we ask you to refrain from:\n\n- Denial of service attacks\n- Using automated tools to generate significant traffic (apart from easyTravel mentioned under Setup) and possibly impair the function of our application\n- Spamming\n- Social engineering (including phishing) of Dynatrace staff or contractors\n- Any physical action against Dynatrace property or data centers\n- Subdomain Takeovers\n- Reports that solely indicate a lack of possible security defenses, such as:\n    - Lack of CSRF tokens (unless you provide evidence of an actual sensitive user action that isn’t protected by a token).\n    - CSRF attacks that are performed in the same session and browser window as the captured forms. Please note: Before you submit a CSRF bug, please confirm that the bug can be reproduced after you log out, restart the browser, and log in again.\n    - Login and logout CSRF.\n    - Missing HTTP security headers that don’t directly contribute to a vulnerability.\n    - Host header injections (we require evidence showing how these can lead to the theft of user data).\n    - Absence of best practices (unless evidence of a security vulnerability is demonstrated).\n    - Self-XSS (we require evidence showing how XSS can be used to attack another user).\n    - Missing flags on non-sensitive cookies.\n    - Reports from automated tools or vulnerability scanners.\n    - Reports of insecure SSL/TLS ciphers or outdated certificates.\n    - Reports of insecure DNS and server configurations (e.g. open ports).\n    - Vulnerabilities affecting users of outdated browsers, plug-ins, or platforms.\n    - Password, email and account policies.\n    - Presence/absence of DKIM/SPF/DMARC records.\n    - CSP (Content-Security-Policy) issues.\n    - Issues related to software or protocols not under Dynatrace’s control.\n\n# Legal\n\nIn connection with your participation in this program you agree to comply with all applicable local and national laws.\n\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.\n\nYou may not destroy, steal, modify, damage, violate or otherwise jeopardize the privacy of any Dynatrace customer or Dynatrace data. This includes disrupting or degrading Dynatrace’s products and service to its customers.\n\nDynatrace does not permit or authorize you to extract information or content of Dynatrace customers or publicize this information or to modify or corrupt programs or data belonging to Dynatrace in order to extract and publicly disclose data belonging to Dynatrace. Vulnerabilities obtained by exploiting Dynatrace users, employees or otherwise violating this policy are not eligible for a bounty and will result in immediate disqualification from the program.\n\nDynatrace reserves the right to discontinue this reward program and change its terms at any time without prior notification. All decisions regarding reward payments are final. The rules of this reward program or any communication related there do not provide or imply any obligations to Dynatrace of any kind.\n\nThank you for helping keep Dynatrace and our customers safe!\n\n\n# Useful tips for the setup\n\n### OneAgent\nTo test all functions of Dynatrace we recommend that you install a Dynatrace OneAgent on a test environment. OneAgent is responsible for collecting all monitoring data within your monitored environment. This way you can see some data in your environment. \n\nYou can find further installation instructions on our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation). \n\n### EasyTravel\nEasyTravel is a demo application which can help you to generate some data. Install it on the environment where you installed the OneAgent. \n\nA detailed instruction setup including the download link can be found [here](https://community.dynatrace.com/t5/Start-with-Dynatrace/easyTravel-Documentation-and-Download/m-p/181271)\n\n*Please keep in mind that EasyTravel is out of scope of this program!*\n\n### ActiveGate\nActiveGate is a secure proxy that connects Dynatrace OneAgents to Dynatrace Clusters or other ActiveGates. It simplifies network interactions, reduces complexity and cost, and performs monitoring tasks for various technologies.\n\nIn case you want to read more about our ActiveGates you can have a look at our [support page](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate). \nDetailed instructions on how to install and use an AG you can find [here](https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation). \n\n\n### How to access your 2nd gen environment\nIf you haven't requested your testing environment yet, please do so. You can find detailed instructions at the top of our Policy page. \nOnce you have requested your testing environment, you will be redirected to the latest version of our product, the Dynatrace Platform (3rd gen). This serves as your default testing environment. While we continue to support the older 2nd gen version with regular updates and patches, new customers will be onboarded to the Dynatrace Platform.\n\nIf the following steps are not done you will be automatically redirected from your 2nd to your 3rd gen environment. With the following steps this redirection will be disabled: \n1. Access your Dynatrace Platform environment: \\*.sprint.apps.dynatracelabs.com\n2. Click on the account icon at the bottom left of your Platform (3rd gen) environment.\n3. Switch off the \"latest Dynatrace\" flag.\n4. You'll be redirected to your 2nd gen environment.\n5. To return to your Platform (3rd gen) environment, simply navigate back using the direct URL.\n\n{F2960757}\n\nIn case you have any questions or this doesn't work for you, please reach out to bugbounty@dynatrace.com\n\n### Mobile Agent\nWith Dynatrace it is also possible to monitor mobile applications for Andoid and iOS. The setup process is different because it involves the compilation, packaging, and shipment of a monitoring library along with your own mobile application package.\n\nDetails on how to do this you can find in our support page: \n- [Android](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-android-app)\n- [iOS](https://www.dynatrace.com/support/help/platform-modules/digital-experience/mobile-applications/instrument-ios-app)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-10T09:00:43.024Z"}]