Scope & Rules of Engagement

In-scope — web / API

Asset	Notes
`corezoid.com`	Marketing / landing
`corezoid.com/api`	Primary API
`superadmin.corezoid.com`	Operator/superadmin panel
`admin.corezoid.com`	Tenant admin UI (HAR file provided)
`account.corezoid.com`	Auth / SSO / account management
`jira.corezoid.com`	Atlassian Jira instance
`openapi.corezoid.com`	OpenAPI specification host
`*.corezoid.com`	All discovered subdomains (enumerated in `recon/subdomains.md`)
`simulator.company`	Simulator product root
`doc.simulator.company`	Documentation site
`mw.simulator.company`	Simulator middleware (HAR file provided)
`sim.simulator.company`	Simulator UI / app
`vpn.corezoid.com`	VPN endpoint — fingerprint-only, no auth brute

In-scope — source code

All repositories under github.com/corezoid/ are in scope for cloning, reading, SAST, and secret scanning. Explicitly named:

apigw — API gateway
helm — Helm charts
dbcall — DB connector
corezoid_ansible_roles — Ansible roles
account — Account service
gitcall — Git connector
terraform — Infrastructure-as-code
observability — Monitoring stack
gitcall-livekit-agent — LiveKit integration
corezoid-ai-doc — AI documentation (reference material)
Any other public repo discovered under the org.

Out of scope

Third-party SaaS and partner systems (Atlassian Cloud, AWS console, GitHub.com itself, CI providers, etc.)
Customer data belonging to Corezoid tenants — do not attempt to pivot into customer workflows
Payment processors and any PCI-scoped systems
Physical and social-engineering attacks
DoS / resource-exhaustion / fork-bomb payloads
Any asset not explicitly listed here or discovered under *.corezoid.com / *.simulator.company during recon

Testing rules (hard limits)

Non-destructive only. No DROP, no DELETE *, no cache flushes, no mass account creation. Proof-of-concept for writes must use a single tester-controlled record and be cleaned up.
No production data exfiltration. If a vulnerability exposes customer PII, capture the proof (one row, redacted), not the dataset.
Rate limits — CONSERVATIVE mode (CTO directive 2026-04-26). Max 10 req/s per host across all tools. Nuclei: default tags only, no -severity critical -t intrusive, no -tags dos,brute,fuzz. Slow down aggressively if WAF/RL fires.
Auth brute-forcing limited. No password spray. Check weak default credentials (admin:admin, etc.) only against test/staging endpoints that are clearly marked.
PoC depth. For RCE, SSRF, SQLi — prove it with a low-impact canary (read /etc/hostname, resolve a DNS callback, SELECT @@version), not full exploitation.
Log everything. Every request that resulted in a finding lands in evidence/CRZ-NNN-*.
Stop if in doubt. Any ambiguous blast-radius decision → pause and ask the CTO.
Phase-gated execution (CTO directive 2026-04-26). Each of the 9 phases completes with a summary, then pause for CTO confirmation before starting the next phase. Do not run phases back-to-back autonomously.

Authentication material (authorized)

Provided by the CTO at engagement start:

admin.corezoid.com.har + admin.corezoid.com_cookies.txt — admin UI session
mw.simulator.company.har + mw.simulator.company_cookies.txt — simulator MW session

These are live authenticated sessions. Using them to test authenticated endpoints is authorized. Do not share, publish, or commit these files to any remote repository.

Reporting classification

Severity follows CVSS 3.1-ish informal bands:

Critical (9.0+): RCE, auth bypass to admin, mass data exposure, secret leakage with live credentials
High (7.0–8.9): Privilege escalation, stored XSS in admin, SSRF to internal metadata, IDOR exposing other tenants
Medium (4.0–6.9): Reflected XSS, CSRF on sensitive actions, weak TLS, missing security headers on sensitive endpoints
Low (<4.0): Information disclosure (versions, stack traces), minor misconfig, missing headers on low-value pages
Info: Hardening recommendations, observations