bug-bounty-sncf-connect-1
4
In Scope
2
Out of Scope
In-Scope Assets (4)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| https//monidentifiant.sncf | URL | Yes | - | |
| https://sncf-connect.com | URL | Yes | ||
| https://www.sncf-connect.com | URL | Yes | ||
| https://www.sncf-connect.com/bff | URL | Yes |
Out-of-Scope Assets (2)
| Asset | Category | Bounty | |
|---|---|---|---|
| All domains and subdomains that are not listed within the scope of the Bug Bounty program. | OTHER | Yes | |
| The SNCF Connect mobile applications (Android and Apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff'). | OTHER | Yes |
Scope Changes (141)
Apr 27, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | all domains and subdomains that are not listed within the scope of the bug bounty program | OTHER | Out of Scope | 12:26 |
| Removed | - tgvinoui.sncf | OTHER | Out of Scope | 12:26 |
| Removed | - hiflow.sncf-connect.com | OTHER | Out of Scope | 12:26 |
| Removed | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 12:26 |
| Removed | - www.sncf-connect-tech.fr | OTHER | Out of Scope | 12:26 |
| Removed | - www.sncf.com | OTHER | Out of Scope | 12:26 |
| Removed | - sncf-voyageurs.com | OTHER | Out of Scope | 12:26 |
| Removed | - www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 12:26 |
| Removed | - www.groupe-sncf.com | OTHER | Out of Scope | 12:26 |
| Removed | - www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 12:26 |
| Removed | - www.garesetconnexions.sncf | OTHER | Out of Scope | 12:26 |
| Removed | - ter.sncf.com | OTHER | Out of Scope | 12:26 |
| Removed | - www.sncf-voyageurs.com | OTHER | Out of Scope | 12:26 |
| Removed | - office-web-sncf-a.sips-services.com | OTHER | Out of Scope | 12:26 |
| Removed | - ouigo.com | OTHER | Out of Scope | 12:26 |
| Added | all domains and subdomains that are not listed within the scope of the bug bounty program | OTHER | Out of Scope | 12:26 |
Mar 26, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | - www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 17:21 |
| Added | https://www.sncf-connect.com | URL | In Scope | 17:21 |
| Added | https://sncf-connect.com | URL | In Scope | 17:21 |
| Added | https//monidentifiant.sncf | URL | In Scope | 17:21 |
| Added | https://www.sncf-connect.com/bff | URL | In Scope | 17:21 |
| Added | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 17:21 |
| Added | - www.sncf-connect-tech.fr | OTHER | Out of Scope | 17:21 |
| Added | - office-web-sncf-a.sips-services.com | OTHER | Out of Scope | 17:21 |
| Added | - www.sncf.com | OTHER | Out of Scope | 17:21 |
| Added | - www.groupe-sncf.com | OTHER | Out of Scope | 17:21 |
| Added | - www.garesetconnexions.sncf | OTHER | Out of Scope | 17:21 |
| Added | - sncf-voyageurs.com | OTHER | Out of Scope | 17:21 |
| Added | - www.sncf-voyageurs.com | OTHER | Out of Scope | 17:21 |
| Added | - tgvinoui.sncf | OTHER | Out of Scope | 17:21 |
| Added | - ter.sncf.com | OTHER | Out of Scope | 17:21 |
| Added | - ouigo.com | OTHER | Out of Scope | 17:21 |
| Added | - www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 17:21 |
| Added | - hiflow.sncf-connect.com | OTHER | Out of Scope | 17:21 |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 17:21 |
| Added | - office-web-sncf-a.sips-services.com | URL | Out of Scope | 17:21 |
| Added | - www.sncf-voyageurs.com | URL | Out of Scope | 17:21 |
| Added | - ter.sncf.com | URL | Out of Scope | 17:21 |
| Added | - www.maxjeune-tgvinoui.sncf | URL | Out of Scope | 17:21 |
| Added | - hiflow.sncf-connect.com | URL | Out of Scope | 17:21 |
| Added | https://www.sncf-connect.com | URL | In Scope | 17:21 |
| Added | https://sncf-connect.com | URL | In Scope | 17:21 |
| Added | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 17:21 |
| Added | - www.sncf.com | URL | Out of Scope | 17:21 |
| Added | - www.groupe-sncf.com | URL | Out of Scope | 17:21 |
| Added | - www.sncf-connect-tech.fr | URL | Out of Scope | 17:21 |
| Added | - sncf-voyageurs.com | URL | Out of Scope | 17:21 |
| Added | - tgvinoui.sncf | URL | Out of Scope | 17:21 |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 17:21 |
| Added | https//monidentifiant.sncf | URL | In Scope | 17:21 |
| Added | - www.garesetconnexions.sncf | URL | Out of Scope | 17:21 |
| Added | - ouigo.com | URL | Out of Scope | 17:21 |
| Added | - www.malocationavis.sncf-connect.com | URL | Out of Scope | 17:21 |
| Added | https://www.sncf-connect.com/bff | URL | In Scope | 17:21 |
| Program Removed | — | — | — | 16:06 |
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | - www.sncf-voyageurs.com | URL | Out of Scope | 19:08 |
| Added | - ter.sncf.com | URL | Out of Scope | 19:08 |
| Added | - ouigo.com | URL | Out of Scope | 19:08 |
| Added | - www.maxjeune-tgvinoui.sncf | URL | Out of Scope | 19:08 |
| Added | https://www.sncf-connect.com | URL | In Scope | 19:08 |
| Added | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 19:08 |
| Added | - www.groupe-sncf.com | URL | Out of Scope | 19:08 |
| Added | - www.garesetconnexions.sncf | URL | Out of Scope | 19:08 |
| Added | - www.sncf-connect-tech.fr | URL | Out of Scope | 19:08 |
| Added | - office-web-sncf-a.sips-services.com | URL | Out of Scope | 19:08 |
| Added | - www.sncf.com | URL | Out of Scope | 19:08 |
| Added | - hiflow.sncf-connect.com | URL | Out of Scope | 19:08 |
| Added | https://sncf-connect.com | URL | In Scope | 19:08 |
| Added | https//monidentifiant.sncf | URL | In Scope | 19:08 |
| Added | https://www.sncf-connect.com/bff | URL | In Scope | 19:08 |
| Added | - www.malocationavis.sncf-connect.com | URL | Out of Scope | 19:08 |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 19:08 |
| Added | - sncf-voyageurs.com | URL | Out of Scope | 19:08 |
| Added | - tgvinoui.sncf | URL | Out of Scope | 19:08 |
Feb 23, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 09:43 |
| Added | - www.sncf-connect-tech.fr | OTHER | Out of Scope | 09:43 |
| Added | - office-web-sncf-a.sips-services.com | OTHER | Out of Scope | 09:43 |
| Added | - www.sncf.com | OTHER | Out of Scope | 09:43 |
| Added | - www.groupe-sncf.com | OTHER | Out of Scope | 09:43 |
| Added | - www.garesetconnexions.sncf | OTHER | Out of Scope | 09:43 |
| Added | - sncf-voyageurs.com | OTHER | Out of Scope | 09:43 |
| Added | - www.sncf-voyageurs.com | OTHER | Out of Scope | 09:43 |
| Added | - tgvinoui.sncf | OTHER | Out of Scope | 09:43 |
| Added | - ter.sncf.com | OTHER | Out of Scope | 09:43 |
| Added | - ouigo.com | OTHER | Out of Scope | 09:43 |
| Added | - www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 09:43 |
| Added | - www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 09:43 |
| Added | - hiflow.sncf-connect.com | OTHER | Out of Scope | 09:43 |
| Removed | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | 09:43 |
| Removed | - https://www.sncf.com | OTHER | Out of Scope | 09:43 |
| Removed | - https://www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 09:43 |
| Removed | - https://www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 09:43 |
| Removed | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | 09:43 |
| Removed | - https://tgvinoui.sncf | OTHER | Out of Scope | 09:43 |
| Removed | - https://www.sncf-voyageurs.com | OTHER | Out of Scope | 09:43 |
| Added | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 09:43 |
| Added | - www.sncf-connect-tech.fr | URL | Out of Scope | 09:43 |
| Added | - hiflow.sncf-connect.com | URL | Out of Scope | 09:43 |
| Added | - office-web-sncf-a.sips-services.com | URL | Out of Scope | 09:43 |
| Added | - www.sncf.com | URL | Out of Scope | 09:43 |
| Added | - www.groupe-sncf.com | URL | Out of Scope | 09:43 |
| Added | - tgvinoui.sncf | URL | Out of Scope | 09:43 |
| Added | - www.malocationavis.sncf-connect.com | URL | Out of Scope | 09:43 |
| Added | - www.garesetconnexions.sncf | URL | Out of Scope | 09:43 |
| Added | - ouigo.com | URL | Out of Scope | 09:43 |
| Added | - sncf-voyageurs.com | URL | Out of Scope | 09:43 |
| Added | - www.sncf-voyageurs.com | URL | Out of Scope | 09:43 |
| Added | - ter.sncf.com | URL | Out of Scope | 09:43 |
| Added | - www.maxjeune-tgvinoui.sncf | URL | Out of Scope | 09:43 |
Feb 22, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | - https://www.maxjeune-tgvinoui.sncf | URL | Out of Scope | 00:52 |
| Added | https://www.sncf-connect.com/bff | URL | In Scope | 00:52 |
| Added | - https://www.malocationavis.sncf-connect.com | URL | Out of Scope | 00:52 |
| Added | https//monidentifiant.sncf | URL | In Scope | 00:52 |
| Added | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | 00:52 |
| Added | - https://www.sncf.com | URL | Out of Scope | 00:52 |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 00:52 |
| Added | https://www.sncf-connect.com | URL | In Scope | 00:52 |
| Added | https://sncf-connect.com | URL | In Scope | 00:52 |
| Added | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | 00:52 |
| Added | - https://tgvinoui.sncf | URL | Out of Scope | 00:52 |
| Added | - https://www.sncf-voyageurs.com | URL | Out of Scope | 00:52 |
Feb 21, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Removed | https://www.sncf-connect.com | URL | In Scope | 21:40 |
| Removed | https://sncf-connect.com | URL | In Scope | 21:40 |
| Removed | https//monidentifiant.sncf | URL | In Scope | 21:40 |
| Removed | https://www.sncf-connect.com/bff | URL | In Scope | 21:40 |
| Removed | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | 21:40 |
| Removed | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | 21:40 |
| Removed | - https://www.sncf.com | OTHER | Out of Scope | 21:40 |
| Removed | - https://tgvinoui.sncf | OTHER | Out of Scope | 21:40 |
| Removed | - https://www.sncf-voyageurs.com | OTHER | Out of Scope | 21:40 |
| Removed | - https://www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 21:40 |
| Removed | - https://www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 21:40 |
| Removed | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 21:40 |
| Added | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | 00:33 |
| Added | - https://www.sncf.com | OTHER | Out of Scope | 00:33 |
| Added | - https://tgvinoui.sncf | OTHER | Out of Scope | 00:33 |
| Added | - https://www.sncf-voyageurs.com | OTHER | Out of Scope | 00:33 |
| Added | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | 00:33 |
| Added | - https://www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 00:33 |
| Added | - https://www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 00:33 |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 00:33 |