Goldman Sachs VDP

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.goldman.com URL critical
*.goldmansachs.com URL medium medium medium critical
This is Goldman Sachs' main website
*.gs.com URL critical
*.honestdollar.com URL critical
*.marcus.co.uk URL critical
*.marcus.com URL critical
research.gs.com URL critical
ONLY research.gs.com is currently eligible for bounty. All other *.gs.com subdomains are in-scope, but ineligible for bounty at this time.
*.gsam.com URL critical
*.claritymoney.com URL high high high critical
*.gsselect.com URL high high high critical
*.global-liquidity.gs.com URL high high high critical
*.gs-mosaic.gs.com URL high high high critical
*.gs-mosaic.qa.gs.com URL high high high critical
*.qaglobal-liquidity.gs.com URL high high high critical
developer.gs.com URL critical
goldmansachsindices.com URL critical
marquee.gs.com URL critical
*.ayco.com URL high high high critical
www.rocaton.com URL critical
Excludes: *.rocaton.com secure.rocaton.com
*.gspublishing.com URL critical

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.subscriptions.gs.com URL none
gset.gs.com URL none
gsg.goldman.com URL none
gspf.goldman.com URL none
gsg-uk.goldman.com URL none
Do not pentest
*.rocaton.com,secure.rocaton.com URL none
www.racaton.com is in scope, but other subdomains are not.