44CON Hack for Charity

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.upserve.com URL medium medium medium critical
Any asset that is not explicitly listed as out of scope or in scope will be considered on a case-by-case basis. We may elect to accept reports but not pay bounties depending on the impact of the asset and vulnerability.
api.breadcrumb.com URL medium medium medium critical
app.upserve.com URL medium medium medium critical
auditmyprocessor.com URL none none low low
This is a low security impact site without sensitive data or critical functions. Generally the only reports which will be bounty eligible will be vulnerabilities which can be leveraged to attack other systems or users. We may elect to **accept reports but not pay bounties based on impact**. For example: * Blind, Stored, or Reflected XSS * Content modification / defacement * Remote Code Execution * Local File Inclusion * SSRF Reports we're not interested in for this asset: * Best practices for SSL, Headers, etc. unless they facilitate an impactful attack (see above) * User enumeration (administrators or otherwise) * Mail server configuration issues * xmlrpc exposure * Self XSS
cards.swipely.com URL medium medium medium critical
com.breadcrumb.live URL medium medium medium critical
This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.
com.groupon.breadcrumbpro.production APPLE_STORE_APP_ID medium medium medium critical
com.upserve.live GOOGLE_PLAY_APP_ID medium medium medium critical
d2evh2mef3r450.cloudfront.net URL medium medium medium critical
ecs-lb.breadcrumb.com URL medium medium medium critical
hq.breadcrumb.com URL medium medium medium critical
https://645892349820.vulnerbug.com URL low none low medium
This is our test version of our marketing and community website. It is running on Wordpress on third party infrastructure. This is a medium security impact site without sensitive data or critical functions. Generally the only reports which will be bounty eligible will be vulnerabilities which can be leveraged to attack other systems or users. We may elect to **accept reports but not pay bounties based on impact**. For example: * Blind, Stored, or Reflected XSS * Content modification / defacement * Remote Code Execution * Local File Inclusion * SSRF Reports we're not interested in for this asset: * Best practices for SSL, Headers, etc. unless they facilitate an impactful attack (see above) * User enumeration (administrators or otherwise) * Mail server configuration issues * xmlrpc exposure * Self XSS
mossy.breadcrumb.com URL medium medium medium critical
orders.upserve.com URL medium medium medium critical
payments.breadcrumb.com URL medium medium medium critical
payments.upserve.com URL medium medium medium critical
pos.swipely.com URL medium medium medium critical
reports.breadcrumb.com URL medium medium medium critical
swipely-merchant-assets.s3.amazonaws.com URL medium medium medium critical
teamhelp.upserve.com URL low low low medium
This is our internal employee information/help desk site. It is running on Wordpress on third party infrastructure. There is non-public information on this site. Our primary concern here would be access to non-public information, defacement, or vulnerabilities which can be leveraged to attack other systems or users. We may elect to **accept reports but not pay bounties based on impact**. Reward amounts for this property will typically be lower than our customer facing applications.
theacademy.upserve.com URL none none low low
This is a low security impact site without sensitive data or critical functions. Generally the only reports which will be bounty eligible will be vulnerabilities which can be leveraged to attack other systems or users. We may elect to **accept reports but not pay bounties based on impact**. For example: * Blind, Stored, or Reflected XSS * Content modification / defacement * Remote Code Execution * Local File Inclusion * SSRF Reports we're not interested in for this asset: * Best practices for SSL, Headers, etc. unless they facilitate an impactful attack (see above) * User enumeration (administrators or otherwise) * Mail server configuration issues * xmlrpc exposure * Self XSS

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
Any 3rd party services linked to or used by Upserve OTHER none
Any Upserve hardware HARDWARE none
careers.upserve.com URL none
click.upserve.com URL none
ecslb.upserve.com URL none
engagement.swipely.com URL none
feeds.upserve.com URL none
get.upserve.com URL none
go.breadcrumb.com URL none
This domain is related to a service hosted externally by Marketo. Any security issues found should be reported to the [Marketo security team](https://hackerone.com/marketo).
go.swipely.com URL none
This domain is related to a service hosted externally by Marketo. Any security issues found should be reported to the [Marketo security team](https://hackerone.com/marketo).
go.upserve.com URL none
This domain is related to a service hosted externally by Marketo. Any security issues found should be reported to the [Marketo security team](https://hackerone.com/marketo).
help.upserve.com URL none
join.upserve.com URL none
This domain is related to a service hosted externally by Unbounce. Any security issues found should be reported to the [Unbounce security team.](https://unbounce.com/security/)
resources.swipely.com URL none
resources.upserve.com URL none
status.breadcrumb.com URL none
store.upserve.com URL none
Our store is hosted by Shopify. Any security issues should be reported to the [Shopify security team.](https://hackerone.com/shopify)
support.upserve.com URL none
swipelycommunity.force.com URL none
upserve.auth0.com URL none
This service is operated by auth0. Any security issues should be reported to the [auth0 security team.](https://hackerone.com/auth0)
www.upserve.com URL none
This production site is **out of scope**. Direct all tests at the test version of the site: 645892349820.vulnerbug.com.