swiss-post
11
In Scope
5
Out of Scope
In-Scope Assets (11)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| (*.post.ch:80|*.post.ch:443) AND 194.41.128.0/17 | OTHER | Yes | - | |
| https://account.post.ch | URL | Yes | ||
| https://apps.apple.com/ch/app/die-post/id378676700 | IOS | Yes | - | |
| https://billingonline.post.ch/OnlinePayment/Web/v1/BOI | URL | Yes | ||
| https://itunes.apple.com/ch/app/postcard-creator/id820354055?mt=8 | IOS | Yes | - | |
| https://play.google.com/store/apps/details?id=ch.post.it.pcc&hl=en | ANDROID | Yes | ||
| https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US | ANDROID | Yes | ||
| https://service.post.ch/ekp-web/ | URL | Yes | ||
| https://service.post.ch/ele-klp/ele/ | URL | Yes | ||
| https://service.post.ch/zopa/app/ | URL | Yes | ||
| https://shop.post.ch/shop | URL | Yes |
Out-of-Scope Assets (5)
| Asset | Category | Bounty | |
|---|---|---|---|
| Any services related to Incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58)) | OTHER | Yes | |
| Anything that has not been described as in scope in the previous section is automatically out of scope. | OTHER | Yes | |
| Attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes DNS, NTP, routers, systems of the ISP, etc.). | OTHER | Yes | |
| Please note that some of the applications may contain links or redirect you away from the URIs described in the scope section. This means you are leaving the scope if you follow these links / redirects. | OTHER | Yes | |
| The alternative login (https://login.swissid.ch) is out of scope. It also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope. | OTHER | Yes |
Scope Changes (55)
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | https://shop.post.ch/shop | URL | In Scope | 19:08 |
| Added | https://billingonline.post.ch/OnlinePayment/Web/v1/BOI | URL | In Scope | 19:08 |
| Added | https://service.post.ch/zopa/app | URL | In Scope | 19:08 |
| Added | https://play.google.com/store/apps/details?id=ch.post.it.pcc&hl=en | ANDROID | In Scope | 19:08 |
| Added | anything that has not been described as in scope in the previous section is automatically out of scope | OTHER | Out of Scope | 19:08 |
| Added | the alternative login (https://login.swissid.ch) is out of scope. it also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope | OTHER | Out of Scope | 19:08 |
| Added | https://service.post.ch/ele-klp/ele | URL | In Scope | 19:08 |
| Added | any services related to incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58)) | OTHER | Out of Scope | 19:08 |
| Added | (*.post.ch:80|*.post.ch:443) and 194.41.128.0/17 | WILDCARD | In Scope | 19:08 |
| Added | (*.post.ch:80|*.post.ch:443) and 194.41.128.0/17 | WILDCARD | In Scope | 19:08 |
| Added | https://apps.apple.com/ch/app/die-post/id378676700 | IOS | In Scope | 19:08 |
| Added | attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes dns, ntp, routers, systems of the isp, etc.) | OTHER | Out of Scope | 19:08 |
| Added | please note that some of the applications may contain links or redirect you away from the uris described in the scope section. this means you are leaving the scope if you follow these links / redirects | OTHER | Out of Scope | 19:08 |
| Added | https://account.post.ch | URL | In Scope | 19:08 |
| Added | https://service.post.ch/ekp-web | URL | In Scope | 19:08 |
| Added | https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US | ANDROID | In Scope | 19:08 |
| Added | https://itunes.apple.com/ch/app/postcard-creator/id820354055?mt=8 | IOS | In Scope | 19:08 |
Feb 22, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | the alternative login (https://login.swissid.ch) is out of scope. it also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope | OTHER | Out of Scope | 00:51 |
| Added | https://service.post.ch/ekp-web | URL | In Scope | 00:51 |
| Added | https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US | ANDROID | In Scope | 00:51 |
| Added | https://itunes.apple.com/ch/app/postcard-creator/id820354055?mt=8 | IOS | In Scope | 00:51 |
| Added | please note that some of the applications may contain links or redirect you away from the uris described in the scope section. this means you are leaving the scope if you follow these links / redirects | OTHER | Out of Scope | 00:51 |
| Added | https://account.post.ch | URL | In Scope | 00:51 |
| Added | https://apps.apple.com/ch/app/die-post/id378676700 | IOS | In Scope | 00:51 |
| Added | https://play.google.com/store/apps/details?id=ch.post.it.pcc&hl=en | ANDROID | In Scope | 00:51 |
| Added | (*.post.ch:80|*.post.ch:443) and 194.41.128.0/17 | WILDCARD | In Scope | 00:51 |
| Added | (*.post.ch:80|*.post.ch:443) and 194.41.128.0/17 | WILDCARD | In Scope | 00:51 |
| Added | https://shop.post.ch/shop | URL | In Scope | 00:51 |
| Added | https://service.post.ch/zopa/app | URL | In Scope | 00:51 |
| Added | https://service.post.ch/ele-klp/ele | URL | In Scope | 00:51 |
| Added | attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes dns, ntp, routers, systems of the isp, etc.) | OTHER | Out of Scope | 00:51 |
| Added | https://billingonline.post.ch/OnlinePayment/Web/v1/BOI | URL | In Scope | 00:51 |
| Added | anything that has not been described as in scope in the previous section is automatically out of scope | OTHER | Out of Scope | 00:51 |
| Added | any services related to incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58)) | OTHER | Out of Scope | 00:51 |
Feb 21, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Removed | (*.post.ch:80|*.post.ch:443) and 194.41.128.0/17 | OTHER | In Scope | 21:40 |
| Removed | https://account.post.ch | URL | In Scope | 21:40 |
| Removed | https://shop.post.ch/shop | URL | In Scope | 21:40 |
| Removed | https://service.post.ch/ekp-web | URL | In Scope | 21:40 |
| Removed | https://service.post.ch/zopa/app | URL | In Scope | 21:40 |
| Removed | https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US | ANDROID | In Scope | 21:40 |
| Removed | https://apps.apple.com/ch/app/die-post/id378676700 | IOS | In Scope | 21:40 |
| Removed | https://itunes.apple.com/ch/app/postcard-creator/id820354055?mt=8 | IOS | In Scope | 21:40 |
| Removed | https://play.google.com/store/apps/details?id=ch.post.it.pcc&hl=en | ANDROID | In Scope | 21:40 |
| Removed | https://billingonline.post.ch/OnlinePayment/Web/v1/BOI | URL | In Scope | 21:40 |
| Removed | https://service.post.ch/ele-klp/ele | URL | In Scope | 21:40 |
| Removed | anything that has not been described as in scope in the previous section is automatically out of scope | OTHER | Out of Scope | 21:40 |
| Removed | attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes dns, ntp, routers, systems of the isp, etc.) | OTHER | Out of Scope | 21:40 |
| Removed | the alternative login (https://login.swissid.ch) is out of scope. it also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope | OTHER | Out of Scope | 21:40 |
| Removed | any services related to incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58)) | OTHER | Out of Scope | 21:40 |
| Removed | please note that some of the applications may contain links or redirect you away from the uris described in the scope section. this means you are leaving the scope if you follow these links / redirects | OTHER | Out of Scope | 21:40 |
| Added | attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes dns, ntp, routers, systems of the isp, etc.) | OTHER | Out of Scope | 00:33 |
| Added | the alternative login (https://login.swissid.ch) is out of scope. it also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope | OTHER | Out of Scope | 00:33 |
| Added | any services related to incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58)) | OTHER | Out of Scope | 00:33 |
| Added | please note that some of the applications may contain links or redirect you away from the uris described in the scope section. this means you are leaving the scope if you follow these links / redirects | OTHER | Out of Scope | 00:33 |
| Added | anything that has not been described as in scope in the previous section is automatically out of scope | OTHER | Out of Scope | 00:33 |