Opsgenie is a modern incident management platform for operating always-on services, empowering Dev & Ops teams to plan for service disruptions and stay in control during incidents. With over 200 deep integrations and a highly flexible rules engine, Opsgenie centralizes alerts, notifies the right people reliably, and enables them to collaborate and take rapid action. Throughout the entire incident lifecycle, Opsgenie tracks all activity and provides actionable insights to improve productivity and drive continuous operational efficiencies.
Get Started (tl;dr version)
- Testing for Opsgenie is ONLY to be performed on https://app.opsgeni.us.
- Do not access, impact, destroy or otherwise negatively impact Opsgenie customers, or customer data in anyway.
- Ensure that you use your @bugcrowdninja.com email address.
- Ensure you understand the targets, scopes, exclusions, and rules below.
- Application tests should be done against Opsgenie Lab , a clone of Opsgenie Production with no customer data in it.
- No testing should be performed against *.opsgenie.com, *.opsgenie.net unless explicitly requested.
- Note: Any link you click on https://docs.opsgenie.com will make you land on opsgenie.com which is production Opsgenie, please make sure you are testing on *.opsgeni.us domains.
- Note: Mobile apps by default will connect to out of scope domains. See the note below about mobile apps.
- Opsgenie Links
- For real time support you can also use Intercom chat bubble on bottom right of www.opsgenie.com
- API Docs
- Mobile apps
- (Android) https://play.google.com/store/apps/details?id=com.ifountain.opsgenie
- (iOS) https://itunes.apple.com/us/app/opsgenie/id528590328
- Note: by default, some out of scope domains are hard-coded into mobile apps. Make sure not to test out of scope domains. In order to make sure the mobile app is pointed at the correct, in-scope, sandbox server do the following:
- Go to the sign-in screen
- Long tap on the Opsgenie logo for 10 seconds then release
- Fill in the "sandbox url" field with
- Tap Next
- Session Management
- HTTP and Cookie Security
- Multi Tenant Data Leakage/Access
- Server-side Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- Stored/Reflected Cross-site Scripting (XSS)
- XML External Entity Attacks (XXE)
- Access Control & Authorization Vulnerabilities
- Path/Directory Traversal Issues
- File Upload & File hosting
Ensure you review the out of scope and exclusions list for further details.
** Cross Instance Data Leakage/Access refers to unauthorised data access between instances.
Creating Your Instance
Researchers can sign up here: https://app.opsgeni.us/customer/register
Note: Remember to use your @bugcrowdninja.com email address
!! Do not forget to verify your account by clicking on the link via email, some features will not work until verification done. !!
Next page is a nice onboarding wizard which presents users with different features in Opsgenie, by following the wizard, new signups can have a fast onboarding experience.
You can get a paid account using the following credit card details:
Credit Card number: 4242 4242 4242 4242
Exp: Any date in the future
CVV: any three digits
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.