HPE Aruba Networking Infrastructure Public Program

Hi all - we've just updated the scope for the submissions coming into the public program. This mostly revolves around *.arubanetworks.com. We realize this is a big attack surface and honestly part of us opening this up is to help us learn what is and what is not important there. Because of that, please take a minute to read the below before submitting new findings.

Thanks for submitting to our program!

• HPE corporate websites and resources
• Other HPE or Aruba products not specifically listed in Target Groups 1,2, and 3.
• Rate limiting or other DoS type attacks for *.arubanetworks.com
• Infrastructure with certificates like instant.arubanetworks.com or hostnames like securelogin.arubanetworks.com. These are products owned by customers which are not setup and they are not owned by Aruba nor are they externally facing infrastructure.
• The following hosts:
  • outdoorplanner.arubanetworks.com
  • *.atl.arubanetworks.com - this is a testing subdomain used by bugcrowd
  • *.getaws.arubanetworks.com - we hope this is temporary. We've had a number of submissions against these hosts and we think the root cause is all related. We want to clear these before accepting further submissions against these hosts.
  • asp-notifications.arubanetworks.com - this is related to the findings on *.getaws.arubanetworks.com above. We'll triage submissions out there for now and see what's not a duplicate
  • quickconnect.arubanetworks.com - this server is being decommissioned
  • community.arubanetworks.com - we've had a number of submissions against this and it's starting to look like we might have dups. This is likely a temporary pause until fixes can be rolled out and cases are closed. Once that happens it will go back into scope again, but at this point we need to digest what has come in.

If you have any questions on the change in the scope, please reach out to support@bugcrowd.com.