bug-bounty-sncf-connect-1
4
In Scope
15
Out of Scope
In-Scope Assets (4)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| https//monidentifiant.sncf | URL | Yes | - | |
| https://sncf-connect.com | URL | Yes | ||
| https://www.sncf-connect.com | URL | Yes | ||
| https://www.sncf-connect.com/bff | URL | Yes |
Out-of-Scope Assets (15)
| Asset | Category | Bounty | |
|---|---|---|---|
| - hiflow.sncf-connect.com | OTHER | Yes | |
| - office-web-sncf-a.sips-services.com | OTHER | Yes | |
| - ouigo.com | OTHER | Yes | |
| - sncf-voyageurs.com | OTHER | Yes | |
| - ter.sncf.com | OTHER | Yes | |
| - tgvinoui.sncf | OTHER | Yes | |
| - www.garesetconnexions.sncf | OTHER | Yes | |
| - www.groupe-sncf.com | OTHER | Yes | |
| - www.malocationavis.sncf-connect.com | OTHER | Yes | |
| - www.maxjeune-tgvinoui.sncf | OTHER | Yes | |
| - www.sncf-connect-tech.fr | OTHER | Yes | |
| - www.sncf-voyageurs.com | OTHER | Yes | |
| - www.sncf.com | OTHER | Yes | |
| The SNCF Connect mobile applications (Android and Apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff'). | OTHER | Yes | |
| The scope of the Bug Bounty program is defined in the preceding section. To remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Yes |
Scope Changes (86)
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | - office-web-sncf-a.sips-services.com | URL | Out of Scope | 19:08 |
| Added | - www.sncf.com | URL | Out of Scope | 19:08 |
| Added | - hiflow.sncf-connect.com | URL | Out of Scope | 19:08 |
| Added | https://sncf-connect.com | URL | In Scope | 19:08 |
| Added | https//monidentifiant.sncf | URL | In Scope | 19:08 |
| Added | https://www.sncf-connect.com/bff | URL | In Scope | 19:08 |
| Added | - www.malocationavis.sncf-connect.com | URL | Out of Scope | 19:08 |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 19:08 |
| Added | - sncf-voyageurs.com | URL | Out of Scope | 19:08 |
| Added | - tgvinoui.sncf | URL | Out of Scope | 19:08 |
| Added | - ter.sncf.com | URL | Out of Scope | 19:08 |
| Added | - ouigo.com | URL | Out of Scope | 19:08 |
| Added | - www.maxjeune-tgvinoui.sncf | URL | Out of Scope | 19:08 |
| Added | https://www.sncf-connect.com | URL | In Scope | 19:08 |
| Added | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 19:08 |
| Added | - www.groupe-sncf.com | URL | Out of Scope | 19:08 |
| Added | - www.garesetconnexions.sncf | URL | Out of Scope | 19:08 |
| Added | - www.sncf-voyageurs.com | URL | Out of Scope | 19:08 |
| Added | - www.sncf-connect-tech.fr | URL | Out of Scope | 19:08 |
Feb 23, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | - hiflow.sncf-connect.com | URL | Out of Scope | 09:43 |
| Added | - office-web-sncf-a.sips-services.com | URL | Out of Scope | 09:43 |
| Added | - www.sncf.com | URL | Out of Scope | 09:43 |
| Added | - www.groupe-sncf.com | URL | Out of Scope | 09:43 |
| Added | - tgvinoui.sncf | URL | Out of Scope | 09:43 |
| Added | - www.malocationavis.sncf-connect.com | URL | Out of Scope | 09:43 |
| Added | - www.garesetconnexions.sncf | URL | Out of Scope | 09:43 |
| Added | - ouigo.com | URL | Out of Scope | 09:43 |
| Added | - sncf-voyageurs.com | URL | Out of Scope | 09:43 |
| Added | - www.sncf-voyageurs.com | URL | Out of Scope | 09:43 |
| Added | - ter.sncf.com | URL | Out of Scope | 09:43 |
| Added | - www.maxjeune-tgvinoui.sncf | URL | Out of Scope | 09:43 |
| Added | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 09:43 |
| Added | - www.sncf-connect-tech.fr | OTHER | Out of Scope | 09:43 |
| Added | - office-web-sncf-a.sips-services.com | OTHER | Out of Scope | 09:43 |
| Added | - www.sncf.com | OTHER | Out of Scope | 09:43 |
| Added | - www.groupe-sncf.com | OTHER | Out of Scope | 09:43 |
| Added | - www.garesetconnexions.sncf | OTHER | Out of Scope | 09:43 |
| Added | - sncf-voyageurs.com | OTHER | Out of Scope | 09:43 |
| Added | - www.sncf-voyageurs.com | OTHER | Out of Scope | 09:43 |
| Added | - tgvinoui.sncf | OTHER | Out of Scope | 09:43 |
| Added | - ter.sncf.com | OTHER | Out of Scope | 09:43 |
| Added | - ouigo.com | OTHER | Out of Scope | 09:43 |
| Added | - www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 09:43 |
| Added | - www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 09:43 |
| Added | - hiflow.sncf-connect.com | OTHER | Out of Scope | 09:43 |
| Removed | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | 09:43 |
| Removed | - https://www.sncf.com | OTHER | Out of Scope | 09:43 |
| Removed | - https://www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 09:43 |
| Removed | - https://www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 09:43 |
| Removed | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | 09:43 |
| Removed | - https://tgvinoui.sncf | OTHER | Out of Scope | 09:43 |
| Removed | - https://www.sncf-voyageurs.com | OTHER | Out of Scope | 09:43 |
| Added | the scope of the bug bounty program is defined in the preceding section. to remove any potential ambiguity regarding this scope, the following non‑exhaustive examples illustrate domains that are not included in the program: | OTHER | Out of Scope | 09:43 |
| Added | - www.sncf-connect-tech.fr | URL | Out of Scope | 09:43 |
Feb 22, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | 00:52 |
| Added | - https://www.malocationavis.sncf-connect.com | URL | Out of Scope | 00:52 |
| Added | https//monidentifiant.sncf | URL | In Scope | 00:52 |
| Added | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | 00:52 |
| Added | - https://www.sncf.com | URL | Out of Scope | 00:52 |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 00:52 |
| Added | https://www.sncf-connect.com | URL | In Scope | 00:52 |
| Added | https://sncf-connect.com | URL | In Scope | 00:52 |
| Added | https://www.sncf-connect.com/bff | URL | In Scope | 00:52 |
| Added | - https://tgvinoui.sncf | URL | Out of Scope | 00:52 |
| Added | - https://www.sncf-voyageurs.com | URL | Out of Scope | 00:52 |
| Added | - https://www.maxjeune-tgvinoui.sncf | URL | Out of Scope | 00:52 |
Feb 21, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Removed | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 21:40 |
| Removed | https://www.sncf-connect.com/bff | URL | In Scope | 21:40 |
| Removed | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | 21:40 |
| Removed | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | 21:40 |
| Removed | - https://www.sncf.com | OTHER | Out of Scope | 21:40 |
| Removed | - https://tgvinoui.sncf | OTHER | Out of Scope | 21:40 |
| Removed | - https://www.sncf-voyageurs.com | OTHER | Out of Scope | 21:40 |
| Removed | - https://www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 21:40 |
| Removed | - https://www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 21:40 |
| Removed | https://www.sncf-connect.com | URL | In Scope | 21:40 |
| Removed | https://sncf-connect.com | URL | In Scope | 21:40 |
| Removed | https//monidentifiant.sncf | URL | In Scope | 21:40 |
| Added | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | 00:33 |
| Added | - https://www.sncf.com | OTHER | Out of Scope | 00:33 |
| Added | - https://tgvinoui.sncf | OTHER | Out of Scope | 00:33 |
| Added | - https://www.sncf-voyageurs.com | OTHER | Out of Scope | 00:33 |
| Added | - https://www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | 00:33 |
| Added | - https://www.malocationavis.sncf-connect.com | OTHER | Out of Scope | 00:33 |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | 00:33 |
| Added | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | 00:33 |