New Relic

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.blog.newrelic.com URL critical
Our blog is hosted externally by WP Engine. Issues within this application or regarding our content should be reported here. No security testing should be done against the platform itself. Any security issues found within the platform should be reported [directly to WP Engine](https://wpengine.com/contact/).
*.infrastructure-data.newrelic.com URL critical
*.infrastructure.newrelic.com URL critical
*.newrelic.com URL high high high critical
All **New Relic** assets are in scope for our responsible disclosure program, except where otherwise noted. Submissions for assets that are not in scope for a paid bounty are eligible for HackerOne reputation. Services hosted by third party providers are out of scope and should not be tested against.
APM agents DOWNLOADABLE_EXECUTABLES high high high critical
The [**New Relic APM** agents](https://docs.newrelic.com/docs/agents) are used to send information from supported applications to be viewed within the **New Relic** web application. We may reward reputation for security issues found within the **APM** agent that could reduce the security of the application or server the agent is running within.
Infrastructure agents DOWNLOADABLE_EXECUTABLES critical
The [**New Relic Infrastructure** agents](https://docs.newrelic.com/docs/infrastructure/new-relic-infrastructure/installation) are used to send information (running processes, memory usage, etc.) from Windows and Linux servers to be viewed within the **New Relic** web application. We may provide rewards for security issues found within the **Infrastructure** agent that could reduce the security of the systems the agent runs on. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
Synthetics minions (public and private) OTHER critical
[**Synthetics**](https://docs.newrelic.com/docs/synthetics/new-relic-synthetics/getting-started/introduction-new-relic-synthetics) minions are sandboxed virtual machines that run monitors (scripts) to gather information about your websites, critical business transactions, and API endpoints. Minions can run in our data center or [privately within your own infrastructure](https://docs.newrelic.com/docs/synthetics/new-relic-synthetics/private-locations/install-configure-private-minions). We recommend familiarizing yourself with the product by [reading our documentation](https://docs.newrelic.com/docs/synthetics/new-relic-synthetics/scripting-monitors). Note that out-of-date packages running on these minions are not in scope for this program. Minions are intended to be updated from within the VM or with future releases.
alerts.newrelic.com URL critical
[**New Relic Alerts**](https://newrelic.com/alerts) is a flexible and centralized notification system where you can manage alert policies and conditions for metrics collected by **New Relic**. This includes data from applications monitored by **New Relic APM**, servers with the **Infrastructure** agent¹, **Synthetics** monitors², and more. When an alert condition is met, a notification is sent out to the specified [notification channels](https://docs.newrelic.com/docs/alerts/new-relic-alerts/managing-notification-channels/notification-channels-controlling-where-send-alerts). You can learn more in our [documentation](https://docs.newrelic.com/docs/alerts/new-relic-alerts/getting-started/).
blog.newrelic.com URL critical
Our blog is hosted externally by WP Engine. Issues within this application or regarding our content should be reported here. No security testing should be done against the platform itself. Any security issues found within the platform should be reported [directly to WP Engine](https://wpengine.com/contact/).
discuss.newrelic.com URL critical
Our discussion forum is a customized @discourse installation; any issues with our customization can be reported here. If you're researching issues with the forum software itself, you should follow the guidelines in @discourse and either set up your own instance or use their test instance. All care should be made to avoid generating excessive numbers of posts or otherwise affecting the experience of other users on the forum. If any issues are discovered that may affect other users, such as XSS, they should be reported here immediately and all effort should be made to prevent other users from encountering the issue. Social engineering is strictly forbidden.
docs.newrelic.com URL critical
Our documentation site is hosted externally by Acquia. Issues within this application or regarding our content should be reported here. No security testing should be done against the platform itself. Any security issues found within the platform should be reported to the [Acquia security team](https://www.acquia.com/how-report-security-issue).
infrastructure.newrelic.com URL critical
[**New Relic Infrastructure**](https://newrelic.com/infrastructure) provides deep, real-time visibility into a company’s dynamic cloud and hybrid infrastructure and integrates seamlessly with **New Relic**’s application performance solutions. The web application at [infrastructure.newrelic.com](https://infrastructure.newrelic.com) displays information collected on servers running **Infrastructure** agents. We recommend familiarizing yourself with the product by [reading our documentation](https://docs.newrelic.com/docs/infrastructure/new-relic-infrastructure).
insights.newrelic.com URL critical
[**New Relic Insights**](https://newrelic.com/insights/) is a software analytics resource to gather and visualize data. Data can be sent to **Insights** directly or via other **New Relic** products. The [**New Relic Query Language (NRQL)**](https://docs.newrelic.com/docs/insights/nrql-new-relic-query-language/using-nrql/introduction-nrql), similar to SQL, is a query language for making calls against the **Insights** event database. We recommend familiarizing yourself with our [**Insights** documentation](https://docs.newrelic.com/docs/insights) and with [**NRQL** queries](https://docs.newrelic.com/docs/insights/nrql-new-relic-query-language/using-nrql/introduction-nrql). Note that while **NRQL** is very similar to SQL, SQL injection should not be possible.
learn.newrelic.com URL critical
Our training portal is hosted externally by Acquia. Issues within this application or regarding our content should be reported here. No security testing should be done against the platform itself. Any security issues found within the platform should be reported to the [Acquia security team](https://www.acquia.com/how-report-security-issue).
support.newrelic.com URL critical
Our support landing page provides resources for those looking for help with our products. It also integrates with our ticketing system and links to other areas of interest. Note that our support ticket system at https://newrelic.zendesk.com is strictly out of scope.
synthethics.newrelic.com URL critical
[**New Relic Synthetics**](https://newrelic.com/synthetics) provides you with a suite of automated, scriptable tools to monitor your websites, critical business transactions, and API endpoints. The web application at [synthetics.newrelic.com](https://synthetics.newrelic.com) displays information from monitors (scripts) running on minions (virtual machines) in our data center or privately within your own infrastructure. We recommend familiarizing yourself with the product by [reading our documentation](https://docs.newrelic.com/docs/synthetics/new-relic-synthetics/getting-started/introduction-new-relic-synthetics).
.NET Core agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** .NET Core agent](https://docs.newrelic.com/docs/agents/net-agent/getting-started/introduction-new-relic-net) can by [installed](https://docs.newrelic.com/docs/agents/net-agent/installation/install-enable-new-relic-net-agent) within a [supported .NET Core application](https://docs.newrelic.com/docs/agents/net-agent/getting-started/compatibility-requirements-net-agent). It is designed to collect data about the running application and send it back for display within [**New Relic** APM](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm). We may provide rewards for security issues found within the .NET Core agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
.NET agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** .NET agent](https://docs.newrelic.com/docs/agents/net-agent/getting-started/introduction-new-relic-net) can by [installed](https://docs.newrelic.com/docs/agents/net-agent/installation/install-enable-new-relic-net-agent) within a [supported .NET Framework application](https://docs.newrelic.com/docs/agents/net-agent/getting-started/compatibility-requirements-net-agent). It is designed to collect data about the running application and send it back for display within [**New Relic** APM](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm). We may provide rewards for security issues found within the .NET Framework agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
Agent traffic OTHER critical
The [**New Relic** agents](https://docs.newrelic.com/docs/agents/manage-apm-agents/installation/compatibility-requirements-new-relic-agents) are designed to collect data and send it back for display within the [**New Relic** products](https://docs.newrelic.com/docs/licenses/new-relic-products). Traffic between the agents and **New Relic** backend services may be inspected and reports concerning issues with how the agent connects and transports information are acceptable.
Android agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** Android agent](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-android/get-started/introduction-new-relic-mobile-android) is [installed via Gradle](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-android/install-configure/install-android-apps-gradle-android-studio) within a [supported Android application](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-android/get-started/new-relic-android-compatibility-requirements). It is designed to collect data about the running application and send it back for display within [**New Relic Mobile**](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile/getting-started/introduction-new-relic-mobile). We may provide rewards for security issues found within the Android agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
Browser agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** Browser agent](https://docs.newrelic.com/docs/browser/new-relic-browser/getting-started/introduction-new-relic-browser) is [deployed as a JavaScript snippet](https://docs.newrelic.com/docs/browser/new-relic-browser/installation/install-new-relic-browser-agent) by way of a [supported APM agent or web application](https://docs.newrelic.com/docs/browser/new-relic-browser/getting-started/compatibility-requirements-new-relic-browser). It is designed to collect data about the running application and send it back for display within [**New Relic** Browser](https://docs.newrelic.com/docs/browser/new-relic-browser/getting-started/introduction-new-relic-browser). We may provide rewards for security issues found within the Browser agent that could reduce the security of the browser the agent is running within. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
Go agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** Go agent](https://docs.newrelic.com/docs/agents/go-agent/get-started/introduction-new-relic-go) is [installed](https://docs.newrelic.com/docs/agents/go-agent/installation/install-new-relic-go) within a [supported Go application](https://docs.newrelic.com/docs/agents/go-agent/get-started/go-agent-compatibility-requirements). It is designed to collect data about the running application and send it back for display within [**New Relic** APM](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm). We may provide rewards for security issues found within the Go agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward. Source code for this agent can be inspected [on GitHub](https://github.com/newrelic/go-agent).
Java agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** Java agent](https://docs.newrelic.com/docs/agents/java-agent/installation/install-java-agent) can by [installed](https://docs.newrelic.com/docs/agents/java-agent/installation/install-java-agent) within a [supported Java application](https://docs.newrelic.com/docs/agents/java-agent/getting-started/compatibility-requirements-java-agent). It is designed to collect data about the running application and send it back for display within [**New Relic** APM](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm). We may provide rewards for security issues found within the Java agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
Node.js agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** Node.js agent](https://docs.newrelic.com/docs/agents/nodejs-agent/getting-started/introduction-new-relic-nodejs) can by [installed via `npm`](https://docs.newrelic.com/docs/agents/nodejs-agent/installation-configuration/install-maintain-nodejs) within a [supported Node.js application](https://docs.newrelic.com/docs/agents/nodejs-agent/getting-started/new-relic-nodejs#requirements). It is designed to collect data about the running application and send it back for display within [**New Relic** APM](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm). We may provide rewards for security issues found within the Node.js agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward. Source code for this agent can be inspected [on GitHub](https://github.com/newrelic/node-newrelic).
PHP agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** PHP agent](https://docs.newrelic.com/docs/agents/php-agent/getting-started/introduction-new-relic-php) can be [installed](https://docs.newrelic.com/docs/agents/php-agent/installation/php-agent-installation-overview) within a [supported PHP application](https://docs.newrelic.com/docs/agents/php-agent/getting-started/php-agent-compatibility-requirements). It is designed to collect data about the running application and send it back for display within [**New Relic** APM](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm). We may provide rewards for security issues found within the PHP agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
Python agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** Python agent](https://docs.newrelic.com/docs/agents/python-agent/getting-started/introduction-new-relic-python) can by [installed with Pip](https://docs.newrelic.com/docs/agents/python-agent/installation/standard-python-agent-install) within a [supported Python application](https://docs.newrelic.com/docs/agents/python-agent/getting-started/instrumented-python-packages). It is designed to collect data about the running application and send it back for display within [**New Relic** APM](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm). We may provide rewards for security issues found within the Python agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
Ruby agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** Ruby agent](https://docs.newrelic.com/docs/agents/ruby-agent/getting-started/introduction-new-relic-ruby) is [installed as a Ruby gem](https://docs.newrelic.com/docs/agents/ruby-agent/installation-configuration/ruby-agent-installation) within a [supported Ruby application](https://docs.newrelic.com/docs/agents/ruby-agent/getting-started/ruby-agent-requirements-supported-frameworks). It is designed to collect data about the running application and send it back for display within [**New Relic** APM](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm). We may provide rewards for security issues found within the Ruby agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward. Source code for this agent can be inspected [on GitHub](https://github.com/newrelic/rpm).
Unity agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** Unity agent](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-unity/get-started/introduction-new-relic-unity) is [installed](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-unity/install-configure/unity-plugin-installation-configuration) within a Unity application on iOS or Android. It is designed to collect data about the running application and send it back for display within [**New Relic Mobile**](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile/getting-started/introduction-new-relic-mobile). We may provide rewards for security issues found within the Unity agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
iOS agent DOWNLOADABLE_EXECUTABLES critical
The [**New Relic** iOS agent](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-ios/get-started/introduction-new-relic-mobile-ios) is [installed as a framework](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-ios/installation/ios-manual-installation) or [via CocoaPods](https://docs.newrelic.com/docs/mobile-monitoring-installation/cocoapods-installation-and-configuration) within a [supported iOS application](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-ios/get-started/new-relic-ios-compatibility-requirements). It is designed to collect data about the running application and send it back for display within [**New Relic Mobile**](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile/getting-started/introduction-new-relic-mobile). We may provide rewards for security issues found within the iOS agent that could reduce the security of the application the agent is integrated with. Rewards are based on the default configuration settings, but agents that show problems due to a configuration change may be eligible for a reward.
synthetics.newrelic.com URL critical
[**New Relic Synthetics**](https://newrelic.com/synthetics) provides you with a suite of automated, scriptable tools to monitor your websites, critical business transactions, and API endpoints. The web application at [synthetics.newrelic.com](https://synthetics.newrelic.com) displays information from monitors (scripts) running on minions (virtual machines) in our data center or privately within your own infrastructure. We recommend familiarizing yourself with the product by [reading our documentation](https://docs.newrelic.com/docs/synthetics/new-relic-synthetics/getting-started/introduction-new-relic-synthetics).
*.eu.newrelic.com URL critical
All **New Relic** assets in the European region are in scope for our coordinated disclosure program, except where otherwise noted. Submissions for assets that are not in scope for a paid bounty are eligible for HackerOne reputation. Services hosted by third party providers are out of scope and should not be tested against.
alerts.eu.newrelic.com URL critical
infrastructure.eu.newrelic.com URL critical
insights.eu.newrelic.com URL critical
rpm.eu.newrelic.com/accounts/*/mobile URL critical
rpm.newrelic.com/accounts/*/mobile URL critical
[**New Relic Mobile**](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile/getting-started/introduction-new-relic-mobile) allows you to monitor and manage the performance of your [iOS](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-ios/get-started/new-relic-ios-compatibility-requirements) and [Android](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile-android/get-started/new-relic-android-compatibility-requirements) applications by providing end-to-end details, errors, and throughput from every angle in real time. Data shown in [**New Relic Mobile**](https://docs.newrelic.com/docs/mobile-monitoring/new-relic-mobile/getting-started/introduction-new-relic-mobile) is generated by agents integrated with iOS and Android applications.
synthetics.eu.newrelic.com URL critical
login.newrelic.com URL high high high critical
rpm.eu.newrelic.com/accounts/*/browser URL high high high critical
rpm.newrelic.com/accounts/*/browser URL high high high critical
[**New Relic Browser**](https://docs.newrelic.com/docs/browser/new-relic-browser/getting-started/introduction-new-relic-browser) provides deep visibility and insight into how your users are interacting with your application or website. New Relic Browser measures page load timing, also known as real user monitoring (RUM), but it goes far beyond that to measure: * Individual session performance * AJAX requests * [SPA-architecture route changes](https://docs.newrelic.com/docs/browser/single-page-app-monitoring/get-started/introduction-single-page-app-monitoring) * JavaScript errors With this added functionality, New Relic extends real user monitoring to include the entire life cycle of a page or a view.
developer.newrelic.com URL critical
rpm.newrelic.com URL high high high critical
New Relic's software analytics product for [application performance monitoring (APM)](https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/introduction-new-relic-apm) delivers real-time and trending data about your web application's performance and the level of satisfaction that your end users experience. With end to end transaction tracing and a variety of color-coded charts and reports, APM visualizes your data, down to the deepest code levels.
one.newrelic.com URL high high high critical
[New Relic One](https://one.newrelic.com) is the industry’s first entity-centric observability platform. This platform allows our customers to view across accounts and products, and will be the home of our future innovations.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
ir.newrelic.com URL none
Our investor relations portal is hosted externally by Q4 Inc. and should not be targeted for any security testing. Any security issues found should be reported [directly to Q4 Inc.](https://www.q4inc.com/contact/default.aspx)
newrelic.zendesk.com URL none
Our support ticket system is hosted externally by @zendesk and **must not** be tested against. All care should be taken to prevent accidental creation of new support tickets. Testing against our @zendesk instance and social engineering of our support team is strictly out of scope.
status.newrelic.com URL none
Our status page is hosted externally by Atlassian Statuspage and should not be targeted for any security testing. Any security issues found should be reported to the [StatusPage.io coordinated disclosure program](https://bugcrowd.com/statuspage).
try.newrelic.com URL none
This domain is related to a service hosted externally by Marketo and should not be targeted for any security testing. Any security issues found should be reported to the [Marketo security team](https://documents.marketo.com/legal/notices/responsible-disclosure-policy.pdf).