Hackerone targets all

Filter

target_in_scope

project asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
view *.vpn.hackerone.net URL high high high critical
The HackerOne hacker VPN is used by hackers and HackerOne personnel. We'd be most interested in vulnerabilities that allow you to route traffic to other clients (lack of client isolation), routing traffic to internal HackerOne / Amazon networks, and bypassing [sslsplit](https://github.com/droe/sslsplit). Traffic routed through the VPN will originate from `66.232.20.0/23` (a HackerOne net block). The VPN is based on OpenVPN.
view 66.232.20.0/23 CIDR high high high critical
This net block is the origin of all traffic routed through the HackerOne hacker VPN. See the description for *.vpn.hackerone.net for the stack and vulnerabilities we're interested in.
view https://*.hackerone-ext-content.com URL low none low medium
This domain is used to serve static marketing assets. No confidential information is stored on these systems. However, it is important to us that these assets cannot be updated by an unauthorized third-party.
view https://*.hackerone-user-content.com/ URL none none low low
This is an Amazon S3 bucket that contains profile and cover photos of users and programs. It does not contain any highly confidential information and would not impact the main application if it would be unreachable. A signed request is required to download an object.
view https://api.hackerone.com URL high high high critical
This is our public API that customers use to read and interact with reports. To look for vulnerabilities in this asset, create a sandboxed program, select HackerOne Professional or HackerOne Enterprise in the Product Edition settings page, and create an API token. This system’s backend is written in Ruby, converts the request to a GraphQL query, and serializes the GraphQL result to JSON.
view https://ctf.hacker101.com URL none low none low
The Hacker101 CTF domain, ctf.hacker101.com, is not connected to HackerOne's production environment. It is hosted on Google Compute Cloud. It stores emails, usernames, and passwords (using `bcrypt`). The maximum bounty for any vulnerability on this asset is $500 right now. We will pay an additional $1,000 for anyone that finds a way to abuse any of the CTF servers to mine crypto currency or do any kind of spamming. All outbound connections on the CTF servers **should** be blocked. If you find a way around this, we'd love to hear about it.
view https://errors.hackerone.net URL low medium low high
A separate domain that we use to capture information of client and server side exceptions.
view https://hackerone-us-west-2-production-attachments.s3-us-west-2.amazonaws.com/ URL low high high critical
This is an Amazon S3 bucket that contains attachments of reports and activities. These attachments may contain confidential information. A signed request is required to download an object.
view https://hackerone.com URL high high high critical
This is our main application that hackers and customers use to interact with each other. It connects with a database that contains information about vulnerability reports, users, and programs. This system’s backend is written in Ruby and exposes data to the client through GraphQL, rendered pages, and JSON endpoints.
view https://www.hackerone.com URL low medium low high
This is our marketing website. It does not contain any report, hacker, or customer information. Gaining access to this system does not give you access to any highly confidential information. The website runs Drupal with a few customizations.
view 7News OTHER critical
* [7News iOS](https://itunes.apple.com/au/app/7news/id439828000?mt=8) * [7News Android](https://play.google.com/store/apps/details?id=com.seven.news&hl=en_US)
view Flurry OTHER critical
* [Flurry Android](https://play.google.com/store/apps/details?id=com.yahoo.flurry) * [Flurry iOS](https://itunes.apple.com/us/app/flurry-analytics/id1079687315?mt=8) * Flurry (web)
view Newsroom OTHER critical
* [Newsroom Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.yahoo) * [Newsroom iOS](https://itunes.apple.com/us/app/newsroom-news-that-gets-you-talking/id304158842?mt=8) * Newsroom (web)
view Rivals OTHER critical
* [Rivals Android](https://play.google.com/store/apps/details?id=com.yahoo.rivals.android) * [Rivals iOS](https://itunes.apple.com/us/app/rivals-com-no-1-college-sports-recruiting-news/id1069511855?mt=8) * Rivals (web)
view Yahoo Cricket OTHER critical
* [Yahoo Cricket Android](https://play.google.com/store/apps/details?id=com.si.yahoocricket) * [Yahoo Cricket iOS](https://itunes.apple.com/in/app/yahoo-cricket/id1276184907?mt=8) * Yahoo Cricket (web)
view Yahoo Fantasy Sports OTHER critical
* [Yahoo Fantasy Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.fantasyfootball) * [Yahoo Fantasy Sports iOS](https://itunes.apple.com/us/app/yahoo-fantasy-sports/id328415391?mt=8) * [Yahoo Fantasy Sports (web)](https://sports.yahoo.com/fantasy/)
view Yahoo Finance OTHER critical
* [Yahoo Finance Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.finance) * [Yahoo Finance iOS](https://itunes.apple.com/us/app/yahoo-finance/id328412701?mt=8) * [Yahoo Finance (web)](https://finance.yahoo.com)
view Yahoo HK Auctions OTHER critical
* [Yahoo HK Auctions Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.hkauctions) * [Yahoo HK Auctions iOS](https://itunes.apple.com/hk/app/yahoo-pai-mai/id943334932?mt=8) * [Yahoo HK Auctions (web)](https://hk.auctions.yahoo.com/)
view Yahoo HK News OTHER critical
* [Yahoo HK News Android](https://play.google.com/store/apps/details?id=com.yahoo.infohub) * [Yahoo HK News iOS](https://itunes.apple.com/hk/app/yahoo%E6%96%B0%E8%81%9E-%E9%A6%99%E6%B8%AF%E5%8D%B3%E6%99%82%E7%84%A6%E9%BB%9E/id425655609?mt=8)
view Yahoo HK Shopping OTHER critical
* [Yahoo HK Shopping Android](https://play.google.com/store/apps/details?id=com.yahoo.hkdeals) * [Yahoo HK Shopping iOS](https://itunes.apple.com/hk/app/yahoo-hk-shopping/id472140112?mt=8) * [Yahoo HK Shopping (web)](https://hk.shop.yahoo.com/)
view Yahoo Live Web Insights OTHER critical
* [Yahoo Live Web Insights iOS](https://itunes.apple.com/us/app/yahoo-live-web-insights/id853260592?mt=8)
view Yahoo Mail OTHER critical
* [Yahoo Mail Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail) * [Yahoo Mail AndroidGo](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail.lite) * [Yahoo Mail FireOS](https://www.amazon.com/Yahoo-Mail-Keeps-you-organized/dp/B00632HWOG/) * [Yahoo Mail iOS](https://itunes.apple.com/us/app/yahoo-mail-keeps-you-organized/id577586159?mt=8) * [Yahoo Mail (web)](https://mail.yahoo.com/)
view Yahoo Search OTHER critical
* [Yahoo Search Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.search) * [Yahoo Search iOS](https://itunes.apple.com/us/app/yahoo-search/id361071600?mt=8) * [Yahoo Search (web)](https://search.yahoo.com/)
view Yahoo Sports OTHER critical
* [Yahoo Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.sportacular) * [Yahoo Sports iOS](https://itunes.apple.com/us/app/yahoo-sports-teams-scores-news-highlights/id286058814?mt=8) * [Yahoo Sports tvOS](https://itunes.apple.com/us/app/yahoo-sports-teams-scores-news-highlights/id286058814?mt=8) * Yahoo Sports (web)
view Yahoo TW Auction OTHER critical
* [Yahoo TW Auction Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecauction) * [Yahoo TW Auction iOS](https://itunes.apple.com/tw/app/yahoo%E6%8B%8D%E8%B3%A3-%E5%88%8A%E7%99%BB%E5%85%8D%E8%B2%BB/id1033771352?mt=8) * Yahoo TW Auction (web)
view Yahoo TW News OTHER critical
* [Yahoo TW News Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.newstw) * [Yahoo TW News iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9-%E7%9B%B4%E6%92%ADlive-%E5%8D%B3%E6%99%82%E6%96%B0%E8%81%9E/id864844562?mt=8) * Yahoo TW News (web)
view Yahoo TW Shopping OTHER critical
* [Yahoo TW Shopping Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecshopping) * [Yahoo TW Shopping iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%B3%BC%E7%89%A9%E4%B8%AD%E5%BF%83/id1061577845?mt=8) * Yahoo TW Shopping (web)
view Yahoo TW Stock OTHER critical
* [Yahoo TW Stock Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.TWStock) * [Yahoo TW Stock iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%82%A1%E5%B8%82/id790214428?mt=8)
view Yahoo TW Store OTHER critical
* [Yahoo TW Store](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecstore) * [Yahoo TW Store](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%B6%85%E7%B4%9A%E5%95%86%E5%9F%8E/id778296354?mt=8) * Yahoo TW Store (web)
view Yahoo TW eSports OTHER critical
* [Yahoo TW eSports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.twesports) * [Yahoo TW eSports iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E9%9B%BB%E7%AB%B6-live%E9%9B%BB%E7%AB%B6%E8%B3%BD%E4%BA%8B-%E6%96%B0%E8%81%9E/id1252211994?mt=8) * Yahoo TW eSports (web)
view Yahoo Together OTHER critical
* [Yahoo Together (web)](https://together.yahoo.com/) * [Yahoo Together (Android)](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mischief) * [Yahoo Together (iOS)](https://itunes.apple.com/us/app/yahoo-together-group-chat/id1378720748) This app was previously known as Squirrel and Mischief Messenger. Anything related to those two names should also be reported under this asset.
view Yahoo Video OTHER critical
* [Yahoo Video FireTV](https://www.amazon.com/Yahoo-for-Fire-TV/dp/B014X5UGPQ/) * [Yahoo Video tvOS](https://itunes.apple.com/us/app/yahoo-watch-free-live-concerts-sports-video-clips-and-more/id1046996690?mt=8)
view Yahoo Weather OTHER critical
* [Yahoo Weather Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.weather * [Yahoo Weather iOS](https://itunes.apple.com/us/app/yahoo-weather/id628677149?mt=8) * Yahoo Weather (web)
view Yahoo! OTHER critical
Use this asset tag when a more specific brand/domain/property does not exist.
view https://github.com/rails/rails SOURCE_CODE critical
view *.buddypress.org,bbpress.org,profiles.wordpress.org URL medium medium medium critical
view *.trac.wordpress.org, *.svn.wordpress.org, *.git.wordpress.org, github.com/WordPress SOURCE_CODE low medium medium critical
All source code that isn't behind authentication is intended to be public. The source code itself has `Medium` CVSS impact scores. The applications that manage the code (Trac, Git, SVN, etc) have `Low` scores, except for vulnerabilities that allow modifications to the source code.
view *.wordcamp.org URL medium medium medium critical
view *.wordpress.net URL low low low medium
All WordPress.net domains, including (but not limited to) jobs.wordpress.net.
view *.wordpress.org URL medium medium medium critical
All wordpress.org domains that **are not listed in other assets**, including (but not limited to) the following: * login.wordpress.org * developer.wordpress.org * make.wordpress.org * translate.wordpress.org * global.wordpress.org, {locale}.wordpress.org (e.g., de.wordpress.org, es-mx.wordpress.org) * learn.wordpress.org
view BBPress Core SOURCE_CODE high high high critical
We generally **aren’t** interested in the following problems: * [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html) * [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue) * Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)) * [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files) * WordPress version number disclosure * Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score. * Output from automated scans - please manually verify issues and include a valid proof of concept. If you think you found an exception, please, let us know.
view BuddyPress Core SOURCE_CODE high high high critical
We generally **aren’t** interested in the following problems: * [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html) * [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue) * Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)) * [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files) * WordPress version number disclosure * Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score. * Output from automated scans - please manually verify issues and include a valid proof of concept. If you think you found an exception, please, let us know.
view WordPress Core SOURCE_CODE high high high critical
We generally **aren’t** interested in the following problems: * [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html) * [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue) * Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)) * [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files) * WordPress version number disclosure * Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score. * Output from automated scans - please manually verify issues and include a valid proof of concept. If you think you found an exception, please, let us know.
view api.wordpress.org URL high medium high critical
view codex.wordpress.org,codex.bbpress.org,codex.buddypress.org URL low none low medium
These are wikis, they're intended to be freely edited by anonymous users. We are not interested in vulnerabilities unless they have a severe impact.
view https://github.com/WordPress/gutenberg SOURCE_CODE low none low medium
All source code that isn't behind authentication is intended to be public. The source code itself has `Medium` CVSS impact scores. The applications that manage the code (Trac, Git, SVN, etc) have `Low` scores, except for vulnerabilities that allow modifications to the source code.
view irclogs.wordpress.org URL low none low medium
We are not interested in vulnerabilities unless they have a severe impact.
view lists.wordpress.org URL medium low low high
We are not interested in vulnerabilities unless they have a severe impact.
view mercantile.wordpress.org URL low medium low high
view planet.wordpress.org URL medium none medium critical
view *.cloud.vimeo.com URL medium medium medium critical
Upload endpoints such as \ *.cloud.vimeo.com
view *.vimeo.com URL critical
See scope/program for more definitive information. Does not include 3rd parties under vimeo.com domain names. Subject to realization we missed one.
view 425194759 APPLE_STORE_APP_ID medium medium medium critical
view api.vimeo.com URL medium medium medium critical
view checkout.vimeo.com URL critical
This is an S3 bucket behind a CDN. We will be responsible for things WE can control about this (Content, S3 permissions, CDN headers, etc). For items beyond our control, those are not in scope.
view com.vimeo.android.videoapp GOOGLE_PLAY_APP_ID medium medium medium critical
view player.vimeo.com URL medium medium medium critical
view vimeo.com/api URL medium medium medium critical
Legacy API endpoints such as vimeo.com/api
view vimeo.com/ondemand URL critical
Vimeo On Demand hosted sites: https://vimeo.com/ondemand
view vimeopro.com URL medium medium medium critical
Vimeo Pro portfolios hosted on vimeopro.com
view www.vimeo.com URL medium medium medium critical
view *.concrete5.org URL critical
view https://github.com/concrete5/concrete5 SOURCE_CODE critical
view *.periscope.tv URL critical
view *.pscp.tv URL critical
view *.twimg.com URL high medium high critical
view *.twitter.com URL critical
view *.vine.co URL critical
view com.atebits.Tweetie2 APPLE_STORE_APP_ID critical
view com.twitter.android GOOGLE_PLAY_APP_ID critical
view gnip.com URL critical
view mopub.com URL critical
view niche.co URL critical
view snappytv.com URL critical
view twitterflightschool.com URL low low low medium
view *.delivery-club.ru URL high high high critical
Delivery Club runs preliminary bug bounty program with only high severity serverside bugs eligible. Clientside bugreports (XSS, CSRF) are accepted without monetary reward. BCP reports, e.g. SSL-related issues are not accepted. Please read program rules for categories of the bugs accepted.
view *.lootdog.io URL high high high critical
Loot Dog runs preliminary bug bounty program with only high severiy bugs eligible. BCP reports, e.g. SSL-related issues are not accepted. Please read program rules for categories of the bugs accepted.
view 3rd party or partner service used or branded by Mail.Ru OTHER low low low medium
3rd party projects and services are not covered by bug bounty terms and rules. Researchers must follow rules and service agreement published by resource being investigated. Mail.Ru does not authorize researcher or provide him permissions in any form to research third party resources for vulnerabilities, all permissions must be acquired by researcher directly from third party or partner. Only reports affecting mail.ru services or customers are accepted. Vulnerability information for third party product or service can not be disclosed within Mail.Ru bug bounty program.
view Another Mail.Ru subdomain OTHER medium medium medium critical
Reports for non-listed Mail.Ru projects are accepted, but are not currently eligible for bounty. In some cases, bounty may be awarded on the individual basis for high-severity serverside vulnerabilities. Please read program rules for categories of the bugs accepted.
view Another project / domain acquired by Mail.Ru OTHER medium medium medium critical
Reports for acquired non-listed Mail.Ru projects, including, but not limited to delivery-club.ru, beepcar.ru, youla.io, maps.me, etc are accepted, but are not currently eligible for bounty. In some cases, bounty may be awarded on the individual basis for high-severity serverside vulnerabilities. Please read program rules for categories of the bugs accepted.
view Mail.Ru networking infrastructure HARDWARE high high high critical
Please read program rules for categories of the bugs accepted no version disclosure / same site scripting / etc
view My.Com - another projects OTHER medium medium medium critical
Reports for non-listed My.Com projects are accepted, but are not currently eligible for bounty. In some cases, bounty may be awarded on the individual basis for high-severity serverside vulnerabilities. Please read program rules for categories of the bugs accepted.
view My.Com MyMail backend OTHER high high high critical
Please read program rules for categories of the bugs accepted.
view My.Com networking infrastructure HARDWARE high high high critical
Please read program rules for categories of the bugs accepted no version disclosure / same site scripting / etc
view account.mail.ru URL high high high critical
Mail.Ru Account Management center Please read program rules for categories of the bugs accepted
view auth.mail.ru URL high high high critical
Mail.Ru Authentication center Please read program rules for categories of the bugs accepted
view biz.mail.ru URL high high high critical
Mail.Ru B2B services Please read program rules for categories of the bugs accepted
view calendar.mail.ru URL high high high critical
Mail.Ru Calendar Please read program rules for categories of the bugs accepted
view cloud.mail.ru URL high high high critical
Mail.Ru Cloud Please read program rules for categories of the bugs accepted
view com.my.mail GOOGLE_PLAY_APP_ID high high high critical
MyCom MyMail for Android Please read program rules for categories of the bugs accepted Do not report bug which are common for MyMail and Mail.Ru Mail
view com.my.mymail APPLE_STORE_APP_ID high high high critical
MyCom MyMail for iOS Please read program rules for categories of the bugs accepted Do not report bug which are common for MyMail and Mail.Ru Mail
view e.mail.ru URL high high high critical
Mail.Ru Web Mail Please read program rules for categories of the bugs accepted
view emx.mail.ru URL high high high critical
Mail.Ru B2B SMTP MX server Please read program rules for categories of the bugs accepted
view health.mail.ru URL high high high critical
Mail.Ru Health Subdomains are not included Please read program rules for categories of the bugs accepted
view ideas.mail.ru URL low low high critical
Mail.Ru Ideas for Bis Please read program rules for categories of the bugs accepted
view imap.mail.ru URL high high high critical
Mail.Ru IMAPv4 server Please read program rules for categories of the bugs accepted
view light.mail.ru URL medium high medium critical
Mail.Ru Web Mail for older browsers Please read program rules for categories of the bugs accepted
view m.mail.ru URL medium high medium critical
Mail.Ru Web Mail for older smartphones Please read program rules for categories of the bugs accepted
view mail.ru URL high low high critical
Mail.Ru portal page. Only https://mail.ru/ portal page is covered by this asset, no subdomains included. Review bug bounty program's rules for categories of bugs accepted.
view mxs.mail.ru URL high high high critical
Mail.Ru SMTP MX server Please read program rules for categories of the bugs accepted
view o2.mail.ru URL high high high critical
Mail.Ru OAuth2 Authentication center Please read program rules for categories of the bugs accepted
view pop.mail.ru URL high high high critical
Mail.Ru POP3 server Please read program rules for categories of the bugs accepted
view ru.mail.auth.totp GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru Access Code (Код Доступа) application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
view ru.mail.calendar GOOGLE_PLAY_APP_ID medium medium medium critical
Mail.Ru Calendar Android application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
view ru.mail.cloud GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru Cloud Android application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
view ru.mail.mail APPLE_STORE_APP_ID high high high critical
Mail.Ru Mail iOS application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
view ru.mail.mailapp GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru Mail Android application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
view ru.mail.mrcalendar APPLE_STORE_APP_ID high high high critical
Mail.Ru Calendar iOS application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
view ru.mail.mrcloud APPLE_STORE_APP_ID high high high critical
Mail.Ru Cloud iOS application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
view smtp.mail.ru URL high high high critical
Mail.Ru SMTP submission server Please read program rules for categories of the bugs accepted
view swa.mail.ru URL high high high critical
Mail.Ru Authentication center Please read program rules for categories of the bugs accepted
view tel.mail.ru URL low high low critical
Mail.Ru Web Mail for older phones Please read program rules for categories of the bugs accepted
view touch.mail.ru URL high high high critical
Mail.Ru Web Mail for touch devices Please read program rules for categories of the bugs accepted
view api.slack.com URL critical
The Slack API
view slack.com URL critical
The slack.com site and application.
view status.slack.com URL critical
The Slack status site
view *.cbhq.net URL high high high critical
view *.coinbase.com URL high high high critical
view 54.175.255.192/27 CIDR high high high critical
view com.coinbase.android GOOGLE_PLAY_APP_ID high high high critical
view com.coinbase.ios APPLE_STORE_APP_ID high high high critical
view go.wepay.com URL critical
view home.wepay.com URL critical
view stage-go.wepay.com URL critical
view stage-home.wepay.com URL critical
view stage.wepay.com URL critical
view stage.wepayapi.com URL high high high critical
view www.wepay.com URL critical
view www.wepayapi.com URL high high high critical
view *.irccloud-cdn.com URL high high high critical
view *.irccloud.com URL high high high critical
In particular IRC connection hosts listed here: https://www.irccloud.com/networks
view api.irccloud.com URL high high high critical
view blog.irccloud.com URL low low low medium
view com.irccloud.IRCCloud APPLE_STORE_APP_ID high high high critical
The iOS app is open source, decompilation issues are not eligible https://github.com/irccloud/ios Vulnerabilities requiring local or root access to a device are also not eligible.
view com.irccloud.android GOOGLE_PLAY_APP_ID high high high critical
The Android app is open source, decompilation issues are not eligible https://github.com/irccloud/android Vulnerabilities requiring local or root access to a device are also not eligible.
view https://github.com/irccloud/android SOURCE_CODE high high high critical
view https://github.com/irccloud/ios SOURCE_CODE high high high critical
view https://github.com/irccloud/irccloud-desktop SOURCE_CODE low low low medium
Our desktop app is pre-release and not officially supported or promoted, we are not ready to issue bounties for it.
view irc.irccloud.com URL high high high critical
Support IRC network.
view irccloud.com URL high high high critical
view team-irc.irccloud.com URL high high high critical
Private team IRC servers
view www.irccloud.com URL high high high critical
view https://github.com/iandunn?tab=repositories SOURCE_CODE critical
Any **source** repository on my Github account, **except** for the ones marked as **archived**, and the following additional exclusions: * `compassionate-comments`, because it's just a rough proof of concept. * `wordcamp-remote-css-test`, because it's only test data.
view https://profiles.wordpress.org/iandunn#content-plugins SOURCE_CODE critical
Any plugin listed on my WordPress.org profile is within scope, **except** for these: * Email Post Changes and Jetpack should be submitted to [Automattic](https://hackerone.com/automattic) instead. * CampTix, CampTix Network Tools, P2 New Post Categories, Tagregator, and SupportFlow should be submitted to [WordPress](https://hackerone.com/wordpress) instead, because they're [Meta team](https://make.wordpress.org/meta/) projects. * Manage Tags Capabilities is not covered, since I don't have commit access to it.
view iandunn.name URL none none none none
I'm mainly interested in high-severity vulnerabilities, like RCE, SQLi, and XSS. Low-severity reports like clickjacking, missing HTTP headers, will probably be closed as `Informative`.
view *.urbandictionary.com URL none critical
view *.urbandictionary.net URL none critical
view com.urbandictionary.android GOOGLE_PLAY_APP_ID critical
view com.urbandictionary.iphone APPLE_STORE_APP_ID critical
view urbandictionary.com URL none critical
view urbandictionary.net URL none critical
view api.robinhood.com URL critical
view com.robinhood.android GOOGLE_PLAY_APP_ID critical
view com.robinhood.release.Robinhood APPLE_STORE_APP_ID critical
view nummus.robinhood.com URL critical
view robinhood.com URL critical
view api.greenhouse.io URL high high high critical
Documentation: https://developers.greenhouse.io/harvest.html https://developers.greenhouse.io/job-board.html#retrieve-a-department
view app.greenhouse.io URL critical
view boards.greenhouse.io URL high high high critical
view io.greenhouse.events APPLE_STORE_APP_ID medium medium medium critical
https://itunes.apple.com/us/app/greenhouse-events/id1297671795?mt=8
view io.greenhouse.recruiting GOOGLE_PLAY_APP_ID none high high critical
https://play.google.com/store/apps/details?id=io.greenhouse.recruiting&hl=en_US
view io.greenhouse.recruiting APPLE_STORE_APP_ID none medium medium critical
https://itunes.apple.com/us/app/greenhouse-recruiting/id1112028249?mt=8
view onboarding.greenhouse.io URL high high high critical
view support.greenhouse.io URL high medium medium critical
view www.greenhouse.io URL medium low medium critical
view https://github.com/WordPoints/ SOURCE_CODE critical
We are interested in any of the WordPoints extensions developed under this GitHub organization. We are mainly interested in vulnerabilities in the released code, which is in the `/src` directory. We are interested in issues present in the `develop` branch and the latest release (`master` branch).
view https://github.com/WordPoints/wordpoints/ SOURCE_CODE critical
We are mainly interested in vulnerabilities in the released code, which is in the `/src` directory. We are interested in issues present in the `develop` branch and the latest release (`master` branch).
view https://deals.souq.com URL critical
This is Souq daily deals website.
view https://sell.souq.com URL critical
This is Souq Selling Center, where sellers can manage their orders and listings. Anything regarding Sub-accounts is not related to the scope of the bug bounty program
view https://uae.souq.com URL critical
This is Souq.com main online marketplace website. All other country sites in Saudi, Egypt, Kuwait ..etc are of the same structure. Don't try to test other country websites to keep things aligned.
view *.algolia.net URL high high high critical
view *.algolianet.com URL high high high critical
view www.algolia.com URL high high high critical
view Dropbox Desktop DOWNLOADABLE_EXECUTABLES low high high critical
[Dropbox for Desktop](https://www.dropbox.com/install)
view com.dropbox.android GOOGLE_PLAY_APP_ID low high high critical
[Dropbox](https://play.google.com/store/apps/details?id=com.dropbox.android)
view com.dropbox.paper GOOGLE_PLAY_APP_ID low high high critical
[Paper](https://play.google.com/store/apps/details?id=com.dropbox.paper)
view com.dropbox.paper APPLE_STORE_APP_ID low high high critical
[Paper](https://itunes.apple.com/us/app/paper-by-dropbox/id1126623662)
view com.getdropbox.Dropbox APPLE_STORE_APP_ID low high high critical
[Dropbox](https://itunes.apple.com/us/app/dropbox/id327630330)
view com.getdropbox.DropboxEMM APPLE_STORE_APP_ID low high high critical
[Dropbox EMM](https://itunes.apple.com/us/app/dropbox-emm/id1080074001)
view dropboxforum.com URL none low none low
view paper.dropbox.com URL high high high critical
view showcase.dropbox.com URL low high high critical
view www.dropbox.com URL high high high critical
view Spectacles HARDWARE low medium low high
[Core hardware] Specifically interested in Remote Code Execution on Spectacles (over the air).
view accounts.snapchat.com URL high high high critical
[Core asset] Snapchat's new (limited) account management website.
view app.snapchat.com URL high high high critical
[Core asset] Main server-side application hosted on Google App Engine under the hostname feelinsonice-hrd.appspot.com and app.snapchat.com.
view com.bitstrips.imoji GOOGLE_PLAY_APP_ID low low low medium
[Non-core asset] [Google Play Store](https://play.google.com/store/apps/details?id=com.bitstrips.imoji)
view com.bitstrips.imoji APPLE_STORE_APP_ID low low low medium
[Non-core asset] [iOS App Store](https://itunes.apple.com/us/app/bitmoji-keyboard-your-avatar/id868077558)
view com.snapchat.android GOOGLE_PLAY_APP_ID low medium low high
[Core asset] [Google Play Store](https://play.google.com/store/apps/details?id=com.snapchat.android)
view com.toyopagroup.picaboo APPLE_STORE_APP_ID low medium low high
[Core asset] [iOS App Store](https://itunes.apple.com/us/app/snapchat/id447188370?mt=8)
view geofilters.snapchat.com URL low medium low high
[Core asset] Snapchat's on-demand Geofilters purchase website.
view kit.snapchat.com URL low medium low high
[Core asset] SNAPKIT web application and SDKs
view scan.snapchat.com URL none low none low
[Core asset] Snapcode creation website
view snappublisher.snapchat.com URL low medium low high
[Core asset] Snapchat's publisher tool.
view spectacles.com URL none low none low
[Core asset] Snapchat's spectacles purchase website.
view www.bitmoji.com URL low low low medium
[Non-core asset]
view www.bitstrips.com URL low low low medium
[Non-core asset]
view www.scan.me URL none low none low
[Non-core asset]
view eobot.com URL high high high critical
eobot.com
view 9pp8m6lpfkgf WINDOWS_APP_STORE_APP_ID high high high critical
It's the standalone edge extension https://www.microsoft.com/en-us/store/p/dashlane-password-manager/9pp8m6lpfkgf
view Standalone Chrome extension OTHER high high high critical
The standalone extension is available here : https://chrome.google.com/webstore/detail/dashlane-password-manager/fdjamakpfbbddfjaooikfcpapjohcfmg
view app.dashlane.com URL critical
view com.dashlane GOOGLE_PLAY_APP_ID high high high critical
view com.dashlane.dashlanephonefinal APPLE_STORE_APP_ID high high high critical
view console.dashlane.com URL critical
view https://www.dashlane.com/fr/directdownload-v2?os=OS_X_10_12_6&platform=website&target=launcher_macosx DOWNLOADABLE_EXECUTABLES high high high critical
Our OSX installer
view https://www.dashlane.com/fr/directdownload-v2?os=none&platform=website&target=archive_win DOWNLOADABLE_EXECUTABLES high high high critical
Our windows installer
view logs.dashlane.com URL critical
view ws1.dashlane.com URL critical
view www.dashlane.com URL critical
view api.instacart.com URL high high high critical
view com.instacart APPLE_STORE_APP_ID high high high critical
view com.instacart.client GOOGLE_PLAY_APP_ID high high high critical
view www.instacart.com URL high high high critical
view api.raise.com URL high high high critical
view api.raise.rest URL high high high critical
view raise-risk-oracle.com URL high high high critical
view rro.raise.com URL high high high critical
view www.raise.com URL high high high critical
Accounts for authenticated testing can be created by security researchers with Raise.com's involvement.
view *.ubnt.com URL medium medium medium critical
view AmpliFi HARDWARE high high high critical
view EdgeMAX HARDWARE high high high critical
view EtherMagic HARDWARE high high high critical
view UCRM DOWNLOADABLE_EXECUTABLES high high high critical
view UFiber HARDWARE high high high critical
view UNMS DOWNLOADABLE_EXECUTABLES high high high critical
view UniFi HARDWARE high high high critical
view UniFi Cloud OTHER high high high critical
view UniFi Server DOWNLOADABLE_EXECUTABLES high high high critical
view UniFi Video HARDWARE high high high critical
view UniFi Video Cloud OTHER high high high critical
view UniFi Video Server DOWNLOADABLE_EXECUTABLES high high high critical
view UniFi Voip HARDWARE low medium medium critical
view airFiber HARDWARE high high high critical
view airMAX HARDWARE high high high critical
view blog.ubnt.com URL low medium medium critical
view com.ubnt.discovery.app GOOGLE_PLAY_APP_ID low medium medium critical
view com.ubnt.easyunifi GOOGLE_PLAY_APP_ID low medium medium critical
view com.ubnt.plc GOOGLE_PLAY_APP_ID low medium medium critical
view com.ubnt.sunmax.install GOOGLE_PLAY_APP_ID low medium medium critical
view com.ubnt.ucrm GOOGLE_PLAY_APP_ID low medium medium critical
view com.ubnt.umobile GOOGLE_PLAY_APP_ID low medium medium critical
view com.ubnt.unifi.edu GOOGLE_PLAY_APP_ID low medium medium critical
view com.ubnt.unifivideo GOOGLE_PLAY_APP_ID low medium medium critical
view community.ubnt.com URL low medium medium critical
view forum-es.ubnt.com URL low medium medium critical
view forum-pt.ubnt.com URL low medium medium critical
view help.ubnt.com URL low medium medium critical
view ir.ubnt.com URL low medium medium critical
view store.ubnt.com URL low medium medium critical
view *.staging-airtableblocks.com URL critical
view *.staging.airtable.com URL critical
view staging.airtable.com URL critical
view *.airbnb-aws.com URL critical
Low-priority asset.
view *.airbnb.com URL critical
view *.airbnbcitizen.com URL critical
Low-priority asset.
view *.atairbnb.com URL high high high critical
Low-priority asset.
view *.byairbnb.com URL critical
Low-priority asset.
view *.luxuryretreats.com URL critical
Low-priority asset.
view *.muscache.com URL critical
Low-priority asset.
view *.withairbnb.com URL critical
Low-priority asset.
view Localized airbnb sites listed at the link below: OTHER critical
**https://www.airbnb.com/sitemaps/localized**
view api.airbnb.com URL critical
view assets.airbnb.com URL critical
view callbacks.airbnb.com URL critical
view com.airbnb.android GOOGLE_PLAY_APP_ID critical
view com.airbnb.app APPLE_STORE_APP_ID critical
view com.luxuryretreats.ios APPLE_STORE_APP_ID critical
Low-priority asset.
view m.airbnb.com URL critical
view next.airbnb.com URL critical
view omgpro.airbnb.com URL critical
view one.airbnb.com URL critical
view open.airbnb.com URL critical
view support-api.airbnb.com URL critical
view www.airbnb.com URL critical
view *.vhx.tv URL medium medium medium critical
### EXCEPT for community.vhx.tv, 3rd party sites and EXCEPT a single-customer configured site The vulnerability must affect every site in order to be valid.
view 935740658 APPLE_STORE_APP_ID medium medium medium critical
view Branded Customer Android Apps OTHER medium medium medium critical
Example: https://play.google.com/store/apps/details?id=tv.vhx.yogawithadriene&hl=en https://yogawithadriene.vhx.tv/ ### Vulnerabilities must affect ANY/ALL branded Android apps and not just a single customer app
view Branded Customer Roku Apps OTHER medium medium medium critical
Example: https://channelstore.roku.com/details/77809/yoga-with-adriene https://yogawithadriene.vhx.tv ### Vulnerabilities must affect ANY/ALL branded Roku apps and not just a single customer app
view Branded Customer iOS Apps OTHER medium medium medium critical
Example: https://itunes.apple.com/us/app/find-what-feels-good-yoga/id1050813703?mt=8 (https://yogawithadriene.vhx.tv) ### Vulnerabilities must affect ANY/ALL branded iOS apps and not just a single customer app
view api.vhx.tv URL medium medium medium critical
view channelstore.roku.com/details/48061/vhx OTHER medium medium medium critical
Roku App
view embed.vhx.tv URL medium medium medium critical
view tv.vhx GOOGLE_PLAY_APP_ID medium medium medium critical
view vhx.tv URL medium medium medium critical
The VHX homepage at vhx.tv redirects to a login page at ott.vimeo.com. Please submit these reports to the VHX program.
view *.shopify.com URL low low low medium
Reports involving *.shopify.com are reviewed on a per case basis for bounty eligibility. Any services operated by a third party without a proof of concept demonstrating impact on *.myshopify.com users will likely be ineligible for a bounty.
view Shopify Third Party Apps OTHER critical
Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.
view Shopify Third Party Store OTHER critical
You may only test against shops you have created.
view accounts.shopify.com URL high high high critical
view apps.shopify.com URL low low low medium
Shopify App Store
view com.jadedlabs.frenzy APPLE_STORE_APP_ID none low low medium
Arrive iOS app, available in the [iTunes store](https://itunes.apple.com/ca/app/frenzy-buy-sneakers-and-more/id1140572698)
view com.jadedpixel.pos APPLE_STORE_APP_ID low low low medium
Shopify POS for iOS, available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)
view com.jadedpixel.shopify APPLE_STORE_APP_ID low low low medium
Mobile Shopify for iOS, available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)
view com.shopify.arrive APPLE_STORE_APP_ID none low low medium
Arrive iOS app, available in the [iTunes store](https://itunes.apple.com/ca/app/arrive-package-tracker/id1223471316?mt=8)
view com.shopify.mobile GOOGLE_PLAY_APP_ID low low low medium
Mobile Shopify for Android, available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)
view com.shopify.pos GOOGLE_PLAY_APP_ID low low low medium
Shopify POS for Android, available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)
view com.shopify.pos.customerview GOOGLE_PLAY_APP_ID low low low medium
Shopify Customer View App for POS, available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos.customerview)
view exchange.shopify.com URL none low low medium
view experts.shopify.com URL low low low medium
Shopify Experts
view https://apps.shopify.com/digital-downloads URL low low low medium
Digital Downloads is an app that can be installed from the Shopify app store https://apps.shopify.com/digital-downloads
view https://apps.shopify.com/product-reviews URL none low low medium
After creating a test store, you may install this app from the Shopify app store to test it as well.
view https://apps.shopify.com/shopify-widgets URL low low low medium
Buy Button is an app that can be installed from the Shopify app store https://apps.shopify.com/shopify-widgets
view https://flow.shopifycloud.com URL none low low medium
Flow is an app that can be installed from the Shopify app store https://apps.shopify.com/flow
view https://wholesale.shopifycloud.com/ URL none low low medium
Wholesale is a sales channel which can be installed on your store by visiting `/admin` and clicking the `+` beside `Sales Channels` in the menu on the left.
view partners.shopify.com URL high high high critical
view themes.shopify.com URL low low low medium
Shopify Theme Store
view www.kitcrm.com URL none low none low
Kit can be installed from https://apps.shopify.com/kit
view your-store.myshopify.com URL high high high critical
Your development store hosted at `*.myshopify.com`. Create a development store by signing up at https://partners.shopify.com/
view *.booztx.com URL high high high critical
view m.boozt.com URL high high high critical
view www.boozt.com URL high high high critical
view www.booztlet.com URL high high high critical
view www.coursera.org URL critical
view app.legalrobot-test.com URL none none none none
TEST HERE!
view app.legalrobot.com URL high high high critical
When possible, please avoid testing on this domain. In general, testing should occur on legalrobot-uat.com.
view www.legalrobot-test.com URL none none none none
Everything on our www subdomain is static and just hosts our blog and some other assets. So, there is very little opportunity for bugs here.
view www.legalrobot.com URL low none low medium
Everything on our www subdomain is static and just hosts our blog and some other assets. So, there is very little opportunity for bugs here.
view *.grab.co URL low low low medium
view *.grab.com URL critical
view *.grabtaxi.com URL low low low medium
view *.myteksi.com URL none high high critical
view *.myteksi.net URL critical
view 1257641454 APPLE_STORE_APP_ID critical
Grab Driver
view 1353289014 APPLE_STORE_APP_ID critical
GrabFood iOS
view 1354806922 APPLE_STORE_APP_ID critical
GrabCycle
view 1360970802 APPLE_STORE_APP_ID critical
GrabFood Driver
view 647268330 APPLE_STORE_APP_ID high high high critical
Grab (iOS)
view com.grab.food.dax GOOGLE_PLAY_APP_ID critical
GrabFood Driver
view com.grab.food.pax GOOGLE_PLAY_APP_ID critical
GrabFood
view com.grabtaxi.cycle.adr GOOGLE_PLAY_APP_ID critical
GrabCycle
view com.grabtaxi.driver2 GOOGLE_PLAY_APP_ID critical
Grab Driver
view com.grabtaxi.passenger GOOGLE_PLAY_APP_ID critical
Grab (Android)
view drive.grab.co URL critical
view drivegrab.com URL critical
view gamma.grab.co URL critical
view grab.careers URL low low low medium
view graballstars.com URL critical
view hub.grab.com URL high medium high critical
**What it does:** This website allows Grab passengers to log in and view their past trips, change their payment information. This application also allows our business customers to setup/manage Grab for Work group. **What to look for:** For this service, all web vulnerabilities are a concern as well as any bug that could result in disclosure of arbitrary Grab passenger information. This relatively small app houses important functionality, such as the ability to view/download trip history, modify payment details and allow Grab for Work **What it runs on:** Ruby on Rails and React
view manage.grab.co URL critical
view p.grabtaxi.com URL high high high critical
**What it does:** Grab iOS and Android apps communicate with this service while you use Grab. This endpoint acts as an API gateway proxy to all of our services. This API exposes the largest attack surface of any service here at Grab. **What to look for:** Much like our external API, p.grabtaxi.com is a RESTful API performed over certificate-pinned HTTPS requests. The best way to hunt for bugs here is to use your own auth token via the X-mts-ssid header and look for authorization and access control issues, user enumeration, business logic etc. Please keep in mind that you should only ever perform this testing against accounts you own, failure to do so could result in ban from the program, which nobody wants!. **What it runs on:** Golang
view GitHub CSP OTHER critical
While content-injection vulnerabilities are already in-scope for our [GitHub.com bounty](https://bounty.github.com/targets/github.html), we also accept bounty reports for novel [CSP](https://developers.google.com/web/fundamentals/security/csp/) bypasses affecting GitHub.com, even if they do not include a content-injection vulnerability. Using an intercepting proxy or your browser's developer tools, experiment with injecting content into the DOM. See if you can execute arbitrary JavaScript or exfiltrate sensitive page contents such as CSRF tokens. Reports of other previously-unknown impacts from content-injection will also be considered. Previously identified attacks are not eligible for reward (we've put a lot of thought into CSP bypasses already). You can find a discussion of known attacks and our attempts to mitigate them [here](http://githubengineering.com/githubs-csp-journey/). Attacks against CSP features not used on GitHub.com, such as script nonces, are not eligible for reward. Vulnerabilities resulting from injection in implausible locations, such as within an element that doesn't contain user-content, are not eligible for reward. Rewards are determined at our discretion: if you think you've found something cool and novel, report it!
view GitHub Enterprise HARDWARE critical
GitHub Enterprise is the on-premises version of GitHub. GitHub Enterprise shares a code-base with GitHub.com, is built on Ruby on Rails and leverages a number of open source technologies. GitHub Enterprise adds a number of features for enterprise infrastructures. This includes additional authentication backends and clustering options. Below is a subset of features unique to GitHub Enterprise that might be interesting to investigate. - Instance-wide authentication ([_private mode_](https://help.github.com/enterprise/admin/guides/installation/enabling-private-mode/)) - External authentication backends including [CAS, LDAP, and SAML](https://help.github.com/enterprise/admin/guides/user-management/) - In-app administration of the instance using a site administrator control panel - [User, organization, and repository migration](https://help.github.com/enterprise/admin/guides/migrations/) - [Web-based management console](https://help.github.com/enterprise/admin/guides/installation/web-based-management-console/) and [SSH access](https://help.github.com/enterprise/admin/guides/installation/administrative-shell-ssh-access/) to configure and update the instance - [Pre-receive hook scripts](https://help.github.com/enterprise/admin/guides/developer-workflow/creating-a-pre-receive-hook-script/) Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, a vulnerability in a service that is intended to be restricted from external access would have a lower reward than one within the core GitHub Enterprise web interface. You can request a trial of GitHub Enterprise for security testing at [https://enterprise.github.com/bounty](https://enterprise.github.com/bounty).
view GitHub.com URL high high high critical
GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies. Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is \<2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at \>60% of our traffic, will earn a much larger reward. You can find the app at [https://github.com](https://github.com "https://github.com").
view Other Applications DOWNLOADABLE_EXECUTABLES none low none low
GitHub builds and operates a number of web properties and applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on the [Open bounties](https://bounty.github.com/index.html#open-bounties) are not currently eligible for cash rewards.
view api.github.com URL high high high critical
The GitHub API is used by thousands of developers and applications to programatically interact with GitHub data and services. Because so much of the GitHub.com functionality is exposed in the API, security has always been a high priority. Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. You can find the app at [https://api.github.com](https://api.github.com "https://api.github.com") and can find the API documentation at [https://developer.github.com](https://developer.github.com "https://developer.github.com").
view gist.github.com URL medium medium medium critical
Gist is one of the first products launched by GitHub after GitHub.com. It is a service for sharing snippets of code or other text content. Gist is built on Ruby on Rails and leverages a number of Open Source technologies. Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is \<2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at \>60% of our traffic, will earn a much larger reward. You can find the app at [https://gist.github.com](https://gist.github.com "https://gist.github.com").
view *.paydiant.com URL critical
view *.paypal.com URL critical
view *.venmo.com URL critical
view *.xoom.com URL critical
view com.paypal.android.carica GOOGLE_PLAY_APP_ID critical
view com.paypal.android.claro GOOGLE_PLAY_APP_ID critical
view com.paypal.android.p2pmobile GOOGLE_PLAY_APP_ID critical
view com.paypal.android.telcel GOOGLE_PLAY_APP_ID critical
view com.paypal.carica APPLE_STORE_APP_ID critical
view com.paypal.claro APPLE_STORE_APP_ID critical
view com.paypal.here GOOGLE_PLAY_APP_ID critical
view com.paypal.here APPLE_STORE_APP_ID critical
view com.paypal.herehd APPLE_STORE_APP_ID critical
view com.paypal.merchant APPLE_STORE_APP_ID critical
view com.paypal.merchant.client GOOGLE_PLAY_APP_ID critical
view com.paypal.telcel APPLE_STORE_APP_ID critical
view com.venmo GOOGLE_PLAY_APP_ID critical
view com.xoom.android.app GOOGLE_PLAY_APP_ID critical
view com.xoom.app APPLE_STORE_APP_ID critical
view com.yourcompany.PPClient APPLE_STORE_APP_ID critical
view net.kortina.labs.Venmo APPLE_STORE_APP_ID critical
view paypal.me URL critical
view paypalobjects.com URL critical
view py.pl URL critical
view sandbox.braintreegateway.com URL critical
view www.paypal-*.com URL critical
PayPal's Partner Sites (www.paypal-__.com) are mainly marketing based sites that are not part of the core PayPal customer domains (.paypal.com) and are managed by hosting vendor companies. They have variable timelines and are often decommissioned. A listing of these sites designated for deprecation will not be publically maintained due to frequent changes. When researching bugs on these sites, please keep this in mind as bug Submissions for sites on schedule for deprecation will not be honored. Submissions of bugs relating to services or domains not referenced above or for sites on schedule for deprecation are ineligible for the Bug Bounty Program and will not be eligible for a Bounty Payment.
view 737216887 APPLE_STORE_APP_ID low low low medium
Matomo Mobile 2 iOS App Only critical issues compromising the token are in scope.
view https://github.com/innocraft/ SOURCE_CODE low medium low high
All other software on the innocraft GitHub organisation
view https://github.com/matomo-org SOURCE_CODE low medium low high
All other software on the matomo-org GitHub organisation
view https://github.com/matomo-org/matomo SOURCE_CODE critical
this repository contains the source code of Matomo Analytics
view https://plugins.matomo.org/developer/innocraft SOURCE_CODE high high high critical
Official plugins by Innocraft
view https://plugins.matomo.org/developer/matomo-org SOURCE_CODE high high high critical
Official plugins by the Matomo team
view https://www.innocraft.cloud/ URL high high high critical
Matomo Analytics Cloud *username.innocraft.cloud* is also in scope, but please limit tests to ones that don't affect the live instance. (no automated tools) You can easily [set up your own Matomo instance] (https://matomo.org/docs/installation/) for extensive testing
view org.piwik.mobile2 GOOGLE_PLAY_APP_ID low low low medium
Matomo Mobile 2 Android App Only critical issues compromising the token are in scope.
view Other assets OTHER high high high critical
If you have found a vulnerability in a Starbucks site or app not contained within this list, you can still submit, and Starbucks will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved can improve your reputation score on the HackerOne platform.
view Other non domain specific items OTHER high high high critical
Issues within this category must be reported with clear & valid security impact to be considered eligible. * Subdomain takeovers * Router/switch network vulnerabilities * Use of known default credentials * Cleartext transmission of sensitive production data * Significant information disclosures such as internal source code, PII, credentials (excluding those identified in other/prior public breaches).
view app.starbucks.com URL high high high critical
Starbucks US https://app.starbucks.com
view com.starbucks.br GOOGLE_PLAY_APP_ID high high high critical
Starbucks Brazil Android App. https://play.google.com/store/apps/details?id=com.starbucks.br
view com.starbucks.br APPLE_STORE_APP_ID high high high critical
Starbucks Brazil ios app https://itunes.apple.com/br/app/starbucks-brasil/id1041179480
view com.starbucks.cn GOOGLE_PLAY_APP_ID high high high critical
Starbucks China Android App. https://play.google.com/store/apps/details?id=com.starbucks.cn
view com.starbucks.de GOOGLE_PLAY_APP_ID high high high critical
Starbucks Germany Android App https://play.google.com/store/apps/details?id=com.starbucks.de
view com.starbucks.de APPLE_STORE_APP_ID high high high critical
Starbucks Germany ios app. https://itunes.apple.com/de/app/starbucks-deutschland/id948562829
view com.starbucks.fr GOOGLE_PLAY_APP_ID high high high critical
Starbucks France Android App https://play.google.com/store/apps/details?id=com.starbucks.fr
view com.starbucks.fr APPLE_STORE_APP_ID high high high critical
Starbucks France ios app. https://itunes.apple.com/fr/app/starbucks-france/id943993603
view com.starbucks.jp GOOGLE_PLAY_APP_ID high high high critical
Starbucks Japan Android App. https://play.google.com/store/apps/details?id=com.starbucks.jp
view com.starbucks.jp APPLE_STORE_APP_ID high high high critical
Starbucks Japan ios app https://itunes.apple.com/jp/app/id1113037275
view com.starbucks.mobilecard GOOGLE_PLAY_APP_ID high high high critical
Starbucks USA Android app. https://play.google.com/store/apps/details?id=com.starbucks.mobilecard
view com.starbucks.mystarbucks APPLE_STORE_APP_ID high high high critical
Starbucks US ios app. https://itunes.apple.com/us/app/starbucks/id331177714
view com.starbuckschina.mystarbucksmoments APPLE_STORE_APP_ID high high high critical
Starbucks China ios app https://itunes.apple.com/us/app/starbucks-china/id499819758
view gift.starbucks.co.jp URL high high high critical
Starbucks e-gift Japan https://gift.starbucks.co.jp/
view login.starbucks.co.jp/login URL high high high critical
Starbucks Japan Login page https://login.starbucks.co.jp/login
view www.starbucks.ca URL high high high critical
Starbucks Canada https://www.starbucks.ca/
view www.starbucks.co.jp URL high high high critical
Starbucks Japan https://www.starbucks.co.jp
view www.starbucks.co.uk URL high high high critical
Starbucks UK www.starbucks.co.uk
view www.starbucks.com URL high high high critical
Starbucks US https://www.starbucks.com/
view www.starbucks.com.br URL high high high critical
Starbucks Brazil https://www.starbucks.com.br/
view www.starbucks.com.cn URL high high high critical
Starbucks China https://www.starbucks.com.cn/
view www.starbucks.de URL high high high critical
Starbucks Germany https://www.starbucks.de/
view www.starbucks.fr URL high high high critical
Starbucks France https://www.starbucks.fr/
view www.starbucksreserve.com URL low low low medium
Starbucks Reserve https://www.starbucksreserve.com/
view www.teavana.com URL low low low medium
Teavana https://www.teavana.com/
view IBM Products OTHER high high high critical
Vulnerability Reports against IBM products.
view IBM Websites OTHER high high high critical
Vulnerability Reports against *.ibm.com websites.
view lifeinvader.com URL low low low medium
view media.rockstargames.com URL critical
view patches.rockstargames.com URL critical
view prod.cloud.rockstargames.com URL critical
view prod.conductor.ros.rockstargames.com URL critical
view prod.hosted.cloud.rockstargames.com URL critical
view prod.ros.rockstargames.com URL critical
view prod.telemetry.ros.rockstargames.com URL critical
view rockstarnorth.com URL none none low low
view socialclub.rockstargames.com URL critical
view support.rockstargames.com URL critical
Vulnerability reports for support.rockstargames.com may not be awarded bounties if it is discovered that the root vulnerability lies in Zendesk's code. Hackers are encouraged to submit such reports to [Zendesk's bug bounty program](https://hackerone.com/zendesk).
view www.rockstargames.com URL critical
view https://github.com/revive-adserver/revive-adserver SOURCE_CODE critical
view maximum.nl URL medium medium medium critical
view mijn.werkenbijdefensie.nl URL high high high critical
view techniekbijdemarine.nl URL none none low low
This is an old site running legacy flash cod