Automattic

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.srvcs.tumblr.com URL high high high critical
*.tumblr.com URL high high high critical
**The Blog Network** *Note: Blogs are cached for 1 minute after first request (60s from first request); content is re-loaded into cache when a new request is submitted after the 61st second.* How to identify you are looking at the Blog Network: * Header: `X-tumblr-user` can be used to identify if the domain is a blog on the Blog Network * View the domain in a browser, there will be a Tumblr banner visible. Exclusions for this asset: * JavaScript is allowed; XSS is excluded from eligibility. * Pages can be framed; Clickjacking or other X-Frame-Options attacks are excluded from eligibility.
*.txmblr.com URL high high high critical
api.tumblr.com URL high high high critical
assets.tumblr.com URL high high high critical
com.tumblr GOOGLE_PLAY_APP_ID low medium low high
- Minimum OS version: API 21 Exclusions: - API keys in code - Certificate pinning
com.tumblr.tumblr APPLE_STORE_APP_ID low medium low high
- Minimum OS version: iOS 11 Exclusions: - API keys in code - Certificate pinning
embed.tumblr.com URL high high high critical
safe.tumblr.com URL high high high critical
secure.tumblr.com URL high high high critical
t.umblr.com URL high high high critical
www.tumblr.com URL high high high critical

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
scrollkit.com,*.scrollkit.com URL none
learnboost.com,*.learnboost.com URL none
*/xmlrpc.php OTHER none
The sole presence of `xmlrpc.php` in `wordpress.com` and all the domains hosted under our platform doesn't constitute a vulnerability. If you report an issue related to this file, please make sure to provide a working proof of concept that clearly shows the impact.
afterthedeadline.com,*.afterthedeadline.com URL none
polishmywriting.com,*.polishmywriting.com URL none