Snapchat

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
Spectacles HARDWARE low medium low high
[Core hardware] Specifically interested in Remote Code Execution on Spectacles (over the air).
accounts.snapchat.com URL high high high critical
[Core asset] Snapchat's new (limited) account management website.
app.snapchat.com URL high high high critical
[Core asset] Main server-side application hosted on Google App Engine under the hostname feelinsonice-hrd.appspot.com and app.snapchat.com.
com.bitstrips.imoji GOOGLE_PLAY_APP_ID low low low medium
[Non-core asset] [Google Play Store](https://play.google.com/store/apps/details?id=com.bitstrips.imoji)
com.bitstrips.imoji APPLE_STORE_APP_ID low low low medium
[Non-core asset] [iOS App Store](https://itunes.apple.com/us/app/bitmoji-keyboard-your-avatar/id868077558)
com.snapchat.android GOOGLE_PLAY_APP_ID low medium low high
[Core asset] [Google Play Store](https://play.google.com/store/apps/details?id=com.snapchat.android)
com.toyopagroup.picaboo APPLE_STORE_APP_ID low medium low high
[Core asset] [iOS App Store](https://itunes.apple.com/us/app/snapchat/id447188370?mt=8)
geofilters.snapchat.com URL low medium low high
[Core asset] Snapchat's on-demand Geofilters purchase website.
kit.snapchat.com URL low medium low high
[Core asset] SNAPKIT web application and SDKs
scan.snapchat.com URL none low none low
[Core asset] Snapcode creation website
snappublisher.snapchat.com URL low medium low high
[Core asset] Snapchat's publisher tool.
spectacles.com URL none low none low
[Core asset] Snapchat's spectacles purchase website.
www.bitmoji.com URL low low low medium
[Non-core asset]
www.bitstrips.com URL low low low medium
[Non-core asset]
www.scan.me URL none low none low
[Non-core asset]

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
Spectacles charging case HARDWARE none
returns.spectacles.com URL none
returns.spectacles.com application is owned and managed by Netsuite. Please consider reporting vulnerabilities directly to them.
support.snapchat.com URL none
Static support website