immutable
15
In Scope
8
Out of Scope
In-Scope Assets (15)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| *.immutable.com | URL | Yes | ||
| *.imtbl.com | URL | Yes | ||
| *.testnet.immutable.com | OTHER | Yes | - | |
| https://api.immutable.com | URL | Yes | ||
| https://api.x.immutable.com/ | URL | Yes | ||
| https://auth.immutable.com | URL | Yes | ||
| https://docs.immutable.com/ | URL | Yes | ||
| https://github.com/immutable/ts-immutable-sdk/tree/main/packages/passport/ | OTHER | Yes | - | |
| https://hub.immutable.com/ | URL | Yes | ||
| https://link.x.immutable.com/ | URL | Yes | ||
| https://market.immutable.com/ | URL | Yes | ||
| https://passport.immutable.com/ | URL | Yes | ||
| https://play.immutable.com | URL | Yes | ||
| imx.community | URL | Yes | ||
| testnet.immutable.com | OTHER | Yes | - |
Out-of-Scope Assets (8)
| Asset | Category | Bounty | |
|---|---|---|---|
| *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | OTHER | Yes | |
| *.godsunchained.com | OTHER | Yes | |
| *.gogbackend.com | OTHER | Yes | |
| *.guildofguardians.com | OTHER | Yes | |
| Any data exposure bug that are classified as Public Data such as Ethereum Wallet Address, NFT Purchase activity, or other public blockchain activity. | OTHER | Yes | |
| Anything that does not belong to Immutable | OTHER | Yes | |
| godsunchained.com | OTHER | Yes | |
| gogbackend.com | OTHER | Yes |
Scope Changes (131)
Mar 5, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | *.guildofguardians.com | WILDCARD | Out of Scope | 22:26 |
| Added | https://passport.immutable.com/ | URL | In Scope | 22:26 |
| Added | https://auth.immutable.com | URL | In Scope | 22:26 |
| Added | https://github.com/immutable/ts-immutable-sdk/tree/main/packages/passport | OTHER | In Scope | 22:26 |
| Added | https://hub.immutable.com/ | URL | In Scope | 22:26 |
| Added | https://play.immutable.com | URL | In Scope | 22:26 |
| Added | https://api.immutable.com | URL | In Scope | 22:26 |
| Added | https://api.x.immutable.com/ | URL | In Scope | 22:26 |
| Added | *.immutable.com | URL | In Scope | 22:26 |
| Added | *.imtbl.com | URL | In Scope | 22:26 |
| Added | testnet.immutable.com | OTHER | In Scope | 22:26 |
| Added | *.testnet.immutable.com | OTHER | In Scope | 22:26 |
| Added | https://link.x.immutable.com/ | URL | In Scope | 22:26 |
| Added | https://market.immutable.com/ | URL | In Scope | 22:26 |
| Added | https://docs.immutable.com/ | URL | In Scope | 22:26 |
| Added | imx.community | URL | In Scope | 22:26 |
| Added | *.godsunchained.com | OTHER | Out of Scope | 22:26 |
| Added | *.gogbackend.com | OTHER | Out of Scope | 22:26 |
| Added | gogbackend.com | OTHER | Out of Scope | 22:26 |
| Added | godsunchained.com | OTHER | Out of Scope | 22:26 |
| Added | anything that does not belong to immutable | OTHER | Out of Scope | 22:26 |
| Added | any data exposure bug that are classified as public data such as ethereum wallet address, nft purchase activity, or other public blockchain activity | OTHER | Out of Scope | 22:26 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | OTHER | Out of Scope | 22:26 |
| Added | *.guildofguardians.com | OTHER | Out of Scope | 22:26 |
| Added | https://auth.immutable.com | URL | In Scope | 22:26 |
| Added | https://market.immutable.com/ | URL | In Scope | 22:26 |
| Added | *.godsunchained.com | WILDCARD | Out of Scope | 22:26 |
| Added | https://play.immutable.com | URL | In Scope | 22:26 |
| Added | *.imtbl.com | WILDCARD | In Scope | 22:26 |
| Added | imx.community | URL | In Scope | 22:26 |
| Added | gogbackend.com | URL | Out of Scope | 22:26 |
| Added | godsunchained.com | URL | Out of Scope | 22:26 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 22:26 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 22:26 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 22:26 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 22:26 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 22:26 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 22:26 |
| Added | https://docs.immutable.com/ | URL | In Scope | 22:26 |
| Added | https://passport.immutable.com/ | URL | In Scope | 22:26 |
| Added | https://hub.immutable.com/ | URL | In Scope | 22:26 |
| Added | https://api.immutable.com | URL | In Scope | 22:26 |
| Added | https://api.x.immutable.com/ | URL | In Scope | 22:26 |
| Added | *.testnet.immutable.com | WILDCARD | In Scope | 22:26 |
| Added | https://link.x.immutable.com/ | URL | In Scope | 22:26 |
| Added | *.gogbackend.com | WILDCARD | Out of Scope | 22:26 |
| Added | https://github.com/immutable/ts-immutable-sdk/tree/main/packages/passport | URL | In Scope | 22:26 |
| Added | *.immutable.com | WILDCARD | In Scope | 22:26 |
| Added | testnet.immutable.com | URL | In Scope | 22:26 |
| Added | anything that does not belong to immutable | OTHER | Out of Scope | 22:26 |
| Added | any data exposure bug that are classified as public data such as ethereum wallet address, nft purchase activity, or other public blockchain activity | OTHER | Out of Scope | 22:26 |
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | https://api.immutable.com | URL | In Scope | 19:09 |
| Added | *.imtbl.com | WILDCARD | In Scope | 19:09 |
| Added | testnet.immutable.com | URL | In Scope | 19:09 |
| Added | *.testnet.immutable.com | WILDCARD | In Scope | 19:09 |
| Added | *.godsunchained.com | WILDCARD | Out of Scope | 19:09 |
| Added | anything that does not belong to immutable | OTHER | Out of Scope | 19:09 |
| Added | *.guildofguardians.com | WILDCARD | Out of Scope | 19:09 |
| Added | https://docs.immutable.com/ | URL | In Scope | 19:09 |
| Added | https://passport.immutable.com/ | URL | In Scope | 19:09 |
| Added | https://github.com/immutable/ts-immutable-sdk/tree/main/packages/passport | URL | In Scope | 19:09 |
| Added | https://hub.immutable.com/ | URL | In Scope | 19:09 |
| Added | *.immutable.com | WILDCARD | In Scope | 19:09 |
| Added | https://link.x.immutable.com/ | URL | In Scope | 19:09 |
| Added | *.gogbackend.com | WILDCARD | Out of Scope | 19:09 |
| Added | https://play.immutable.com | URL | In Scope | 19:09 |
| Added | imx.community | URL | In Scope | 19:09 |
| Added | https://auth.immutable.com | URL | In Scope | 19:09 |
| Added | https://api.x.immutable.com/ | URL | In Scope | 19:09 |
| Added | https://market.immutable.com/ | URL | In Scope | 19:09 |
| Added | gogbackend.com | URL | Out of Scope | 19:09 |
| Added | godsunchained.com | URL | Out of Scope | 19:09 |
| Added | any data exposure bug that are classified as public data such as ethereum wallet address, nft purchase activity, or other public blockchain activity | OTHER | Out of Scope | 19:09 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 19:09 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 19:09 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 19:09 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 19:09 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 19:09 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 19:09 |
| Program Removed | — | — | — | 17:22 |
| Added | https://play.immutable.com | URL | In Scope | 16:59 |
| Added | *.immutable.com | WILDCARD | In Scope | 16:59 |
| Added | *.imtbl.com | WILDCARD | In Scope | 16:59 |
| Added | https://link.x.immutable.com/ | URL | In Scope | 16:59 |
| Added | *.gogbackend.com | WILDCARD | Out of Scope | 16:59 |
| Added | anything that does not belong to immutable | OTHER | Out of Scope | 16:59 |
| Added | *.guildofguardians.com | WILDCARD | Out of Scope | 16:59 |
| Added | https://github.com/immutable/ts-immutable-sdk/tree/main/packages/passport | URL | In Scope | 16:59 |
| Added | testnet.immutable.com | URL | In Scope | 16:59 |
| Added | https://market.immutable.com/ | URL | In Scope | 16:59 |
| Added | gogbackend.com | URL | Out of Scope | 16:59 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 16:59 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 16:59 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 16:59 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 16:59 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 16:59 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | WILDCARD | Out of Scope | 16:59 |
| Added | https://passport.immutable.com/ | URL | In Scope | 16:59 |
| Added | https://auth.immutable.com | URL | In Scope | 16:59 |
| Added | https://docs.immutable.com/ | URL | In Scope | 16:59 |
| Added | https://passport.immutable.com/ | URL | In Scope | 16:59 |
| Added | *.godsunchained.com | WILDCARD | Out of Scope | 16:59 |
| Added | any data exposure bug that are classified as public data such as ethereum wallet address, nft purchase activity, or other public blockchain activity | OTHER | Out of Scope | 16:59 |
| Added | imx.community | URL | In Scope | 16:59 |
| Added | https://auth.immutable.com | URL | In Scope | 16:59 |
| Added | https://github.com/immutable/ts-immutable-sdk/tree/main/packages/passport | OTHER | In Scope | 16:59 |
| Added | https://hub.immutable.com/ | URL | In Scope | 16:59 |
| Added | https://play.immutable.com | URL | In Scope | 16:59 |
| Added | https://api.immutable.com | URL | In Scope | 16:59 |
| Added | https://api.x.immutable.com/ | URL | In Scope | 16:59 |
| Added | *.immutable.com | URL | In Scope | 16:59 |
| Added | *.imtbl.com | URL | In Scope | 16:59 |
| Added | testnet.immutable.com | OTHER | In Scope | 16:59 |
| Added | *.testnet.immutable.com | OTHER | In Scope | 16:59 |
| Added | https://link.x.immutable.com/ | URL | In Scope | 16:59 |
| Added | https://market.immutable.com/ | URL | In Scope | 16:59 |
| Added | https://docs.immutable.com/ | URL | In Scope | 16:59 |
| Added | imx.community | URL | In Scope | 16:59 |
| Added | *.godsunchained.com | OTHER | Out of Scope | 16:59 |
| Added | *.gogbackend.com | OTHER | Out of Scope | 16:59 |
| Added | gogbackend.com | OTHER | Out of Scope | 16:59 |
| Added | godsunchained.com | OTHER | Out of Scope | 16:59 |
| Added | anything that does not belong to immutable | OTHER | Out of Scope | 16:59 |
| Added | any data exposure bug that are classified as public data such as ethereum wallet address, nft purchase activity, or other public blockchain activity | OTHER | Out of Scope | 16:59 |
| Added | *.dev.x.immutable.com, *.sandbox.x.immutable.com, *.dev.x.immutable.com, *.sandbox.imtbl.com, *.dev.imtbl.com, *.ropsten.x.immutable.com, ropsten.imx.community (see brief for exceptions) | OTHER | Out of Scope | 16:59 |
| Added | *.guildofguardians.com | OTHER | Out of Scope | 16:59 |
| Added | https://api.immutable.com | URL | In Scope | 16:59 |
| Added | https://api.x.immutable.com/ | URL | In Scope | 16:59 |
| Added | *.testnet.immutable.com | WILDCARD | In Scope | 16:59 |
| Added | godsunchained.com | URL | Out of Scope | 16:59 |
| Added | https://hub.immutable.com/ | URL | In Scope | 16:59 |