Alliance of American Football

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.aaf.cloud URL high high high critical
This domain is used internally for intranet services. Virtually nothing should be accessible to the public. For example, if you can gain any level of access to github.aaf.cloud due to a misconfiguration or via SSRF, that would be eligible for a bounty.
*.aaf.com URL high high high critical
All AAF properties are considered in scope.
*.aafusercontent.com URL high high high critical
The aafusercontent.com domain is used to host static content uploaded by users of our services. For example, users of personnel.hackerone.aaf.com can upload images that are hosted by this domain. At the moment, this domain should only serve images. If you're able to upload files that execute JavaScript or get served in other unintended ways, that would be eligible for bounty. Known issue: Admins are able to upload SVGs which may contain JavaScript. Execution should however be blocked via content security policy. (If you're able to upload SVGs as non-admins or bypass the CSP in a modern browser, it might be in scope.)
*.hackerone.aaf.com URL high high high critical
Assets deployed under the hackerone.aaf.com subdomain exist so you can explore areas of our services that you wouldn't otherwise have access to and make a mess of things without holding back. The services here are wiped clean and reset nightly at about 4AM pacific time. If you're testing around this time, don't be alarmed when everything disappears for a few moments.
aaf.com URL high high high critical
This is our home page. It's a static site, hosted using S3 and CloudFront that leverages our API. Please make sure your testing is not disruptive and has no publicly visible effect.
api.platform.aaf.com URL medium medium medium critical
This is the API that drives our platform. It's primarily a GraphQL API and hosts a GraphiQL front-end so you have full documentation for the portions that we're using on the open Internet. The API should not reveal anything "unique" to the AAF. The APIs that are exposed should only consist of personnel management APIs. If you find information disclosures regarding future product features, it may be eligible for a bounty.
api.platform.hackerone.aaf.com URL high high high critical
This is the API that drives our platform. It's primarily a GraphQL API and hosts a GraphiQL front-end so you have full documentation for the portions that we're using on the open Internet. The following users exist for you: * "admin@example.com" should be able to do virtually anything. * "personnelwriter@example.com" should be able to read and write most information related to players, schools, and agents. * "personnelreader@example.com" should be able to read, but not write most information. * Anonymous users, "jsullivan@example.com", "mwazowski@example.com", and "gsanderson@example.com" should be able to read most information, but not agents or personnel notes. The password for all users is "password". We recommended that you create and sign into your own users for testing. Please don't lock your fellow hackers out of the admin account. If you are found to have violated this policy you will be removed from the program. The data hosted here is completely reset nightly at about 4AM pacific time.
hackerone.aaf.com URL critical
This is a WordPress site with a configuration similar to that of shop.aaf.com. Tickets can be bought using any of the [Stripe test card numbers](https://stripe.com/docs/testing#cards). Purchases made through this site use WooCommerce, which is also in-scope for [Automattic's bounty program](https://hackerone.com/automattic) (so you may be able to claim two rewards for in-scope issues). Issues that effect this site but not shop.aaf.com due to differences in configuration might not be eligible for bounty. Excessive requests made by automated scanners will simply get you banned and make you ineligible for bounties.
images.hackerone.aafusercontent.com URL high high high critical
This is a simple image proxy for files hosted under the hackerone.aafusercontent.com domain. It serves two purposes: resizing images on-demand and rasterizing SVGs. Images are proxied by appending the origin domain and resource to the image proxy host and adding optional "rasterize", "fit", and "fill" query parameters: https://images.hackerone.aafusercontent.com/files.platform.hackerone.aafusercontent.com/nTM4DPLOqpXXA7Ggj1dhpBo2n1I?rasterize&fit=100x100 If the proxy can be used with images outside of the hackerone.aafusercontent.com domain or can be used in other unintended ways, it may be eligible for bounty.
personnel.hackerone.aaf.com URL high high high critical
This is the web app that we use for player / agent / school data entry. It is not a consumer-facing app and is used only by trained staff. That means that unprivileged users will get a client-side authorization error (e.g. logging in as "jsullivan" will give you an error message). It also means some aspects such as client-side error handling aren't as fool-proof as they could be (Errors are usually just logged to the console.). See the API asset details for more information, including credentials that can be used to sign in.
shop.aaf.com URL critical
This is our shop. It's a WordPress site. Please make sure your testing is not disruptive and has no publicly visible effect. Purchases made through this site use WooCommerce, which is also in-scope for [Automattic's bounty program](https://hackerone.com/automattic) (so you may be able to claim two rewards for in-scope issues). Excessive requests made by automated scanners will simply get you banned and make you ineligible for bounties.
www.combine.aaf.com URL high high high critical
This is the registration site for our scouting combine. It is currently hosted by Wix. Please make sure your testing is not disruptive and has no publicly visible effect.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity