| + | https://bugcrowd.com/engagements/okta | 28 | 17 | Bugcrowd |
In Scope Assets:- URL: bugcrowd-pam-###.oktapreview.com
- URL: bugcrowd-pam-###.pam.oktapreview.com
- URL: https://bugcrowd-oie-%username%-1.workflows.oktapreview.com
- URL: https://bugcrowd-oie-%username%-2.workflows.oktapreview.com
- URL: https://bugcrowd-pam-###.workflows.oktapreview.com
- OTHER: Desktop MFA for Windows
- OTHER: Desktop MFA for macOS
- OTHER: Password Sync for macOS
- URL: https://support.okta.com
- URL: bugcrowd-oie-%username%-1.at.oktapreview.com
- URL: bugcrowd-oie-%username%-2.at.oktapreview.com
- URL: https://bugcrowd-pam-###.at.oktapreview.com
- URL: bugcrowd-oie-%username%-1.oktapreview.com
- URL: bugcrowd-oie-%username%-2.oktapreview.com
- URL: https://bugcrowd-pam-###.oktapreview.com
- OTHER: https://www.okta.com/fastpass/
- URL: bugcrowd-oie-%username%-1-admin.oktapreview.com
- URL: bugcrowd-oie-%username%-2-admin.oktapreview.com
- URL: https://www.okta.com/products/advanced-server-access/
- URL: http://app.scaleft.com/
- OTHER: https://help.okta.com/asa/en-us/Content/Topics/Adv_Server_Access/docs/client.htm
- IOS: https://apps.apple.com/us/app/okta-verify/id490179405
- ANDROID: https://play.google.com/store/apps/details?id=com.okta.android.auth&hl=en_US&gl=US
- OTHER: https://apps.apple.com/us/app/okta-verify/id490179405
- OTHER: Okta Verify (Windows)
- OTHER: Okta On-Prem Agents ( AD, LDAP, RDP, IWA )
- OTHER: https://help.okta.com/en/prod/Content/Topics/Adv_Server_Access/docs/sftd-windows.htm
- OTHER: https://help.okta.com/en/prod/Content/Topics/Settings/download-browser-plugin.htm
Out of Scope Assets:- URL: bugcrowd-%username%-1.oktapreview.com (OOS)
- URL: bugcrowd-%username%-2.oktapreview.com (OOS)
- URL: *.okta.com (OOS)
- URL: *.trexcloud.com (OOS)
- URL: login.okta.com (OOS)
- URL: pages.okta.com (OOS)
- URL: developer.okta.com (OOS)
- URL: trust.okta.com (OOS)
- URL: www.okta.com (static site) (OOS)
- URL: https://scaleft.com (OOS)
- URL: https://app.scaleft.com/p/signup (OOS)
- URL: https://github.com/oktadev (OOS)
- OTHER: Backend Okta non-app infrastructure (OOS)
- OTHER: Network layer issues (OOS)
- URL: AtSpoke - Okta Workflows actions in access requests (OOS)
- URL: AtSpoke - Entitlement bundles as a resource in access requests (OOS)
- OTHER: Anything not explicitly called out above as in-scope (OOS)
|
| + | https://bugcrowd.com/engagements/onetrust | 1 | 26 | Bugcrowd |
In Scope Assets:- URL: https://pentest-app.onetrust.com/
Out of Scope Assets:- URL: https://*.onetrust.com (OOS)
- URL: https://store.onetrust.com (OOS)
- URL: https://*.convercent.com (OOS)
- URL: https://*.dataguidance.com (OOS)
- URL: https://app.vendorpedia.com (OOS)
- URL: https://*.preferencechoice.com (OOS)
- URL: https://*.redacted.ai (OOS)
- URL: https://*.sharedassessments.org (OOS)
- URL: https://developer.onetrust.com (OOS)
- URL: https://my.onetrust.com (OOS)
- URL: https://*.vendorpedia.com (OOS)
- URL: https://*.onetrustgrc.com (OOS)
- URL: https://*.cookiepro.com (OOS)
- URL: https://tv.onetrust.com/ (OOS)
- URL: https://*.cookielaw.org (OOS)
- URL: https://*.onetrustpro.com (OOS)
- URL: https://*.privacyconnect.com (OOS)
- URL: https://*.onetrust.de (OOS)
- URL: https://*.onetrust.se (OOS)
- URL: https://*.onetrust.es (OOS)
- URL: https://*.onetrust.fr (OOS)
- URL: https://*.onetrust.it (OOS)
- URL: https://*.privacytech.com (OOS)
- URL: https://*.privacypedia.com (OOS)
- URL: https://*.esgiq.com (OOS)
- URL: https://*.trustweek2021.com (OOS)
|
| + | https://bugcrowd.com/engagements/openai | 11 | 0 | Bugcrowd |
In Scope Assets:- URL: https://api.openai.com
- URL: https://chat.openai.com
- URL: https://chat.openai.com
- URL: Third Party Targets
- URL: OpenAI API Keys
- URL: https://*.openai.org
- URL: https://*.openai.org
- URL: https://openai.com/
- OTHER: *.openai.com
- URL: https://platform.openai.com/playground
- OTHER: Other
|
| + | https://bugcrowd.com/engagements/opensea | 8 | 0 | Bugcrowd |
In Scope Assets:- URL: https://opensea.io/
- URL: http://wallets.opensea.io/
- ANDROID: https://play.google.com/store/apps/details?id=io.opensea&hl=en_US&gl=US
- IOS: https://apps.apple.com/us/app/opensea-nft-marketplace/id1582861796
- OTHER: https://github.com/ProjectOpenSea/seaport#deployments
- OTHER: https://etherscan.io/address/0x0000a26b00c1F0DF003000390027140000fAa719
- OTHER: https://etherscan.io/address/0x00005EA00Ac477B1030CE78506496e8C2dE24bf5
- URL: Broken Link
|
| + | https://bugcrowd.com/engagements/opera | 64 | 22 | Bugcrowd |
In Scope Assets:- URL: https://auth.opera.com
- URL: https://accounts.opera.com
- URL: https://flow.opera.com
- URL: https://autoupdate.geo.opera.com
- URL: https://net.geo.opera.com
- URL: https://download.opera.com
- URL: https://speeddials.opera.com
- URL: https://browser-notifications.opera.com
- URL: https://www.opera.com/
- OTHER: https://www.opera.com/computer/thanks?ni=stable&os=windows
- OTHER: https://www.opera.com/computer/thanks?ni=eapgx&os=windows
- URL: https://get.geo.opera.com
- ANDROID: https://play.google.com/store/apps/details?id=com.opera.browser
- ANDROID: https://play.google.com/store/apps/details?id=com.opera.app.news
- ANDROID: https://play.google.com/store/apps/details?id=com.opera.gx
- ANDROID: https://play.google.com/store/apps/details?id=com.opera.mini.native
- ANDROID: https://play.google.com/store/apps/details?id=com.opera.app.sports
- URL: https://cryptowallet.opera-api.com
- URL: https://suggestions.opera-api.com
- OTHER: *.opera.software
- URL: weather.opera-api.com
- URL: push.opera.com
- URL: *.osp.opera.software
- URL: https://bugs.opera.com/
- URL: *.opera.technology
- URL: https://gx.games
- URL: https://create.gx.games
- URL: Loomi.tv
- URL: https://features.opera-api.com
- URL: https://cdn-store.opera-api.com
- URL: *.sec-tunnel.com
- URL: *.opera.com
- URL: exchange.opera.com
- URL: merchandise.opera-api.com
- URL: blocklist.opera-api.com
- URL: https://gx.opera-api.com
- URL: 37.228.104.0/21
- URL: 77.111.244.0/22
- URL: 82.145.208.0/20
- URL: 91.203.96.0/22
- URL: 102.23.96.0/22
- URL: 103.83.120.0/22
- URL: 107.167.96.0/19
- URL: 141.0.8.0/21
- URL: 185.26.180.0/22
- URL: 195.189.143.0/24
- URL: 203.89.100.0/22
- URL: marketplace.gamemaker.io
- URL: *.opera-mini.net
- URL: *.opera.news
- URL: *.operanewsapp.com
- OTHER: GameMaker Studio 2
- URL: *.yoyogames.com
- URL: https://www.gamemaker.io
- URL: https://cashback.opera.com/
- URL: *.apex-football.com
- URL: *.operafootball.com
- URL: *.feednews.com
- URL: *.dailyadvent.com
- URL: api.gx.games/gxc
- URL: api.gx.games/dc
- URL: api.gx.games/dev
- URL: api.gx.games/profile
- URL: api.gx.games/session
Out of Scope Assets:- URL: concurso.opera.com (OOS)
- URL: investor.opera.com (OOS)
- URL: help.yoyogames.com (OOS)
- URL: bugs.yoyogames.com (OOS)
- URL: admanager.opera.com (OOS)
- URL: accountsstage.yoyogames.com (OOS)
- URL: control.gx-servers.opera.com (OOS)
- URL: help.gx-servers.opera.com (OOS)
- URL: verizon-us-seattle.opera-mini.net (OOS)
- URL: s2{1,2}-05-08-v09.opera-mini.net (OOS)
- URL: verizon-us-lvs-seattle.opera-mini.net (OOS)
- URL: 107.167.127.4{0,1} (OOS)
- URL: jobs.opera.com (OOS)
- URL: verizon-us-lvs-ashburn.opera-mini.net (OOS)
- URL: interstitial.opera-mini.net (OOS)
- URL: certs.opera.com (OOS)
- URL: checkout.opera.com (OOS)
- URL: contest.opera.com (OOS)
- URL: catch.opera.com (OOS)
- URL: wallpaper.opera.com (OOS)
- URL: tabfulness.opera.com (OOS)
- URL: 32s.opera.com (OOS)
|
| + | https://bugcrowd.com/engagements/opsgenie | 5 | 2 | Bugcrowd |
In Scope Assets:- URL: https://app.opsgenie.com
- URL: https://mobileapp.opsgenie.com
- URL: *.opsgenie.com
- IOS: Opsgenie (IoS)
- ANDROID: Opsgenie (Android)
Out of Scope Assets:- URL: Opsgenie Production (billing systems, third parties) (OOS)
- URL: Any internal or development services. (OOS)
|
| + | https://bugcrowd.com/engagements/optimizely | 15 | 1 | Bugcrowd |
In Scope Assets:- URL: https://app.optimizely.com/
- URL: https://cdn.optimizely.com/
- URL: https://cdn-pci.optimizely.com/
- URL: https://optimizely-edge.com
- URL: https://api.optimizely.com/
- URL: https://dxc.episerver.net/
- URL: https://paasportal.episerver.net/
- URL: https://paasportal.episerver.net/api/v1.0/
- URL: https://app.welcomesoftware.com/
- URL: https://accounts.welcomesoftware.com/
- URL: https://api.welcomesoftware.com/
- URL: https://cdn-app.welcomesoftware.com/
- URL: https://analytics.welcomesoftware.com/
- URL: https://flags.expeng.optimizely.com
- URL: https://accounts.cmp.optimizely.com/
Out of Scope Assets:- URL: https://www.optimizely.com/ (OOS)
|
| + | https://bugcrowd.com/engagements/optus-mbb-og | 86 | 16 | Bugcrowd |
|
| + | https://bugcrowd.com/engagements/orderlynetwork-mbb-og | 3 | 0 | Bugcrowd |
In Scope Assets:- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
|
| + | https://bugcrowd.com/engagements/orderlynetwork-mbb-og2 | 3 | 0 | Bugcrowd |
In Scope Assets:- URL: https://orderly.network/
- URL: https://api.orderly.org/
- URL: https://api-evm.orderly.org/
|
| + | https://bugcrowd.com/engagements/originenergy-og1 | 19 | 8 | Bugcrowd |
In Scope Assets:- URL: https://www.originenergy.com.au/
- URL: *.origindigital-pac.com.au
- URL: *.odcdn.com.au
- URL: https://dataportal.originenergy.com.au
- URL: *.support.originenergy.com.au
- URL: *.api.originenergy.com.au
- URL: *.download.originenergy.com.au
- URL: https://api.rx.originenergy.com.au/v1/gateway/schema/graphql
- URL: https://api.rx.originenergy.com.au/v1/gateway/schema/kraken/graphql
- URL: https://api.rx.originenergy.com.au/v1/lpg/graphql
- URL: https://www.winconnect.com.au/moving-out/
- URL: https://www.winconnect.com.au/get-connected/
- URL: https://customerportal.winconnect.com.au/login
- URL: signup.myconnect.com.au
- URL: portal.myconnect.com.au
- URL: myconnect.com.au
- URL: portal.myconnect.com.au/new-connection
- URL: ssu.myconnect.com.au/signup/get-connected
- URL: hub.myconnect.com.au
Out of Scope Assets:- URL: https://www.originenergy.com.au/moving/ (OOS)
- URL: https://auth.api.originenergy.com.au/** (OOS)
- URL: https://origin-energy.formstack.com/** (OOS)
- URL: https://www.compareandconnect.com.au/ (OOS)
- URL: https://agent.compareandconnect.com.au/ (OOS)
- URL: https://fastconnect.co.nz (OOS)
- URL: https://Yourporter.com.au (OOS)
- URL: https://raywhitehomenow.com/ (OOS)
|
| + | https://bugcrowd.com/engagements/pantheon | 1 | 0 | Bugcrowd |
In Scope Assets:- OTHER: https://dashboard.pantheon.io
|
| + | https://bugcrowd.com/engagements/personalcapital | 1 | 4 | Bugcrowd |
In Scope Assets:- URL: https://devstaging.pcapcloud.com/*
Out of Scope Assets:- URL: *.empower-retirement.com (OOS)
- URL: *.personalcapital.com (OOS)
- URL: *.empower.com (OOS)
- URL: *.retirementpartner.com (OOS)
|
| + | https://bugcrowd.com/engagements/pexels | 1 | 0 | Bugcrowd |
In Scope Assets:- URL: https://www.pexels.com/
|
| + | https://bugcrowd.com/engagements/phemex | 3 | 5 | Bugcrowd |
In Scope Assets:- IOS: REDACTED
- URL: REDACTED
- ANDROID: REDACTED
Out of Scope Assets:- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
|
| + | https://bugcrowd.com/engagements/pinterest | 9 | 0 | Bugcrowd |
In Scope Assets:- URL: api.pinterest.com
- URL: *.pinterest.com Web Apps
- IOS: https://apps.apple.com/us/app/pinterest/id429047995
- ANDROID: https://play.google.com/store/apps/details?id=com.pinterest&hl=en_US&gl=US
- ANDROID: https://play.google.com/store/apps/details?id=com.pinterest.twa&hl=en_US&gl=US
- OTHER: https://microsoftedge.microsoft.com/addons/detail/pinterest-save-button/bkgoflemacdadndiohhdnphcmdhacabg
- OTHER: https://chrome.google.com/webstore/detail/pinterest-save-button/gpdjojdkbbmdfjfahjcgigfpmkopogic?hl=en
- OTHER: https://addons.mozilla.org/en-US/firefox/addon/pinterest/
- OTHER: https://github.com/pinterest/
|
| + | https://bugcrowd.com/engagements/pixabay | 1 | 0 | Bugcrowd |
In Scope Assets:- URL: https://pixabay.com/
|
| + | https://bugcrowd.com/engagements/planethosterinc | 5 | 0 | Bugcrowd |
In Scope Assets:- URL: https://my.planethoster.com
- URL: https://api.planethoster.net
- URL: https://world.planethoster.net
- URL: https://mg.n0c.com/
- URL: https://www.planethoster.com
|
| + | https://bugcrowd.com/engagements/plugin-people | 2 | 0 | Bugcrowd |
In Scope Assets:- URL: https://marketplace.atlassian.com/apps/4832/enterprise-mail-handler-for-jira-jemh?hosting=cloud&tab=overview
- OTHER: https://marketplace.atlassian.com/apps/4832/enterprise-mail-handler-for-jira-jemh?hosting=datacenter&tab=overview
|
| + | https://bugcrowd.com/engagements/plusgrade-mbb-public | 1 | 0 | Bugcrowd |
|
| + | https://bugcrowd.com/engagements/pnimedia-bb | 58 | 5 | Bugcrowd |
In Scope Assets:- URL: https://www.staples.com/services/printing
- URL: https://splus-flightdeck.pnimedia.com/#/login
- URL: https://splus-estimator.pnimedia.com/#/login
- URL: https://splus-coupon-web.pnimedia.com/#/
- URL: http://flightdeck.staples.com/#/login
- URL: https://portal.pnimedia.com/Account/Login
- URL: https://splus-prod-phoenix-portal-legacy.pnimedia.com/Account/Login
- URL: https://splus-estimator-api.pnimedia.com/
- URL: https://splus-flightdeck-capablefulfiller-api.pnimedia.com/
- URL: https://splus-lmd-api.pnimedia.com/swagger/index.html
- URL: https://usvdc1-fakepuller.pnimedia.com/
- URL: https://orderrouter-api.pnimedia.com/
- URL: https://orders.pniws.com/
- URL: https://phoenix-catalog.pnimedia.com/
- URL: https://portal.pnimedia.com/
- URL: https://productasset.pnimedia.com/
- URL: http://skumapper-splus.pnimedia.com/
- URL: https://design.staples.com
- URL: https://splus-apollox.pnimedia.com/
- URL: https://splus-storage.pnimedia.com/
- URL: https://splus-dock.pnimedia.com/
- URL: https://splus-assets.pnimedia.com/
- URL: https://usvdc1-orders.pnimedia.com/
- URL: https://splus-dock2.pnimedia.com
- URL: https://splus-office365.pnimedia.com/
- URL: https://splus-falcon-api.pnimedia.com/
- URL: https://splus-hercules-api.pnimedia.com/
- URL: https://splus-kepler-upload.pnimedia.com/
- URL: https://splus-premium-asset.pnimedia.com/
- URL: https://usvdc1-fulfillmentdash.pnimedia.com/
- URL: https://usvdc1-imageeditserver.pnimedia.com/
- URL: https://usvdc1-imageserver.pnimedia.com/
- URL: https://usvdc1-imageserver-orders.pnimedia.com/
- URL: https://usvdc1-pniwebservice.pnimedia.com/
- URL: https://usvdc1-project-builder.pnimedia.com/
- URL: https://usvdc1-projectresolver.pnimedia.com/
- URL: https://usvdc1-thumbnailserver-api.pnimedia.com/
- URL: https://usvdc1-render3d.pnimedia.com/
- URL: https://usvdc1-uploadserver.pnimedia.com/
- URL: https://splus-static-site.pnimedia.com/
- URL: https://splus-static-site-pages.pnimedia.com/services/printing/
- URL: https://splus-static-site-pages.pnimedia.com/
- URL: https://splus-static-site-pages-slot1.pnimedia.com/
- URL: https://splus-prod-dam-api-v2-azure.pnimedia.com/
- URL: https://splus-prod-dam-api-v2-slot1.pnimedia.com/
- URL: https://splus-prod-dam-api-v2.pnimedia.com/
- URL: https://splus-prod-dam-api.pnimedia.com/
- URL: https://splus-prod-dam-mediapicker-api.pnimedia.com/
- URL: https://splus-prod-dam-redundancy-sync.pnimedia.com/
- URL: https://splus-cart-api-azure.pnimedia.com/
- URL: https://splus-prod-dam-v2-thumb.pnimedia.com/
- URL: https://splus-cart-api.pnimedia.com/
- URL: https://splus-oms-azure-cart-ui.pnimedia.com/
- URL: https://splus-oms-azure-cart.pnimedia.com/
- URL: https://splus-oms-cart-ui.pnimedia.com/
- URL: https://splus-oms-cart.pnimedia.com/
- URL: https://splus-flightdeck-api.pnimedia.com/
- URL: https://splus-prod-dam-mediapicker-api-slot1.pnimedia.com/
Out of Scope Assets:- OTHER: · The Use of Automated Scanners (OOS)
- OTHER: · Credential Stuffing Attacks (OOS)
- OTHER: · Mass Account Creation (OOS)
- OTHER: · Social Engineering (OOS)
- OTHER: · Denial of Service Attacks (OOS)
|
| + | https://bugcrowd.com/engagements/privateinternetaccess | 19 | 0 | Bugcrowd |
In Scope Assets:- URL: *.privateinternetaccess.com
- URL: https://www.privateinternetaccess.com/
- URL: piaservers.com
- URL: piaservers.net
- URL: PIA APIs
- OTHER: https://www.privateinternetaccess.com/vpn-server
- IOS: https://apps.apple.com/us/app/private-internet-access-anonymous/id955626407
- ANDROID: https://play.google.com/store/apps/details?id=com.privateinternetaccess.android&hl=en
- OTHER: https://www.privateinternetaccess.com/download/linux-vpn
- OTHER: https://www.privateinternetaccess.com/download/mac-vpn
- OTHER: https://www.privateinternetaccess.com/download/windows-vpn
- OTHER: https://chrome.google.com/webstore/detail/private-internet-access/jplnlifepflhkbkgonidnobkakhmpnmh
- OTHER: https://addons.mozilla.org/en-US/firefox/addon/private-internet-access-ext/
- OTHER: https://addons.opera.com/en/extensions/details/private-internet-access-extension/
- CIDR: polymoon.it
- OTHER: Employee Email
- OTHER: Internal chat messages
- OTHER: Source code hosting
- OTHER: Vulnerabilities compromising the privacy of our employees
|
| + | https://bugcrowd.com/engagements/prosus-og | 10 | 0 | Bugcrowd |
In Scope Assets:- URL: https://dealflow.prosus.com
- URL: https://dealflowapi.prosus.com
- URL: https://analytics-admin.prosus.com
- URL: http://analytics.prosus.com
- URL: https://data.prosus.com/
- URL: https://hr.prosus.com/
- URL: https://tracker.naspers.com/
- URL: https://cfc.naspers.com/
- URL: https://peopleview.naspers.com
- URL: http://nav.naspers.com/
|
| + | https://bugcrowd.com/engagements/quintoandar | 11 | 0 | Bugcrowd |
In Scope Assets:- URL: https://www.quintoandar.com.br/*
- URL: https://www.user.quintoandar.com.br/admin/*
- URL: https://www.financeiro.quintoandar.com.br/*
- URL: https://apigw.prod.quintoandar.com.br/pixar-api/*
- URL: https://finance.quintoandar.com.br/*
- URL: https://trato-feito-api.quintoandar.com.br/*
- URL: https://apigw.prod.quintoandar.com.br/checkout-api/*
- URL: https://apigw.prod.quintoandar.com.br/docx-api/*
- URL: https://apigw.prod.quintoandar.com.br/sales-flow-api/*
- URL: https://apigw.prod.quintoandar.com.br/nazare-api/*
- URL: https://apigw.prod.quintoandar.com.br/rental-guarantee-api/*
|
| + | https://bugcrowd.com/engagements/quizlet | 4 | 2 | Bugcrowd |
In Scope Assets:- URL: https://*.quizlet.com
- IOS: https://itunes.apple.com/us/app/quizlet-flashcards/id546473125
- ANDROID: https://play.google.com/store/apps/details?id=com.quizlet.quizletandroid
- URL: 3.0 API
Out of Scope Assets:- URL: 2.0 API (OOS)
- URL: https://help.quizlet.com/hc/en-us (OOS)
|
| + | https://bugcrowd.com/engagements/rapyd | 15 | 6 | Bugcrowd |
In Scope Assets:- URL: api.rapyd.net
- URL: https://dashboard.rapyd.net/
- URL: verify.rapyd.net
- OTHER: checkout.rapyd.net
- URL: *.rapyd.net
- URL: *.neatcommerce.com
- URL: *.korta.is
- URL: *.neattest.com
- URL: https://jointhemoment.net/
- OTHER: *.rapyd.com
- OTHER: *.rapyd.org
- URL: *.neat.com.hk
- URL: *.kortathjonustan.is
- URL: *.neat.hk
- URL: *.neat.wtf
Out of Scope Assets:- OTHER: community.rapyd.net (OOS)
- URL: support.rapyd.net (OOS)
- URL: docs.rapyd.net (OOS)
- OTHER: sandbox.rapyd.net (OOS)
- OTHER: 3rd party services (OOS)
- OTHER: ghost.rapyd.net (OOS)
|
| + | https://bugcrowd.com/engagements/rarible-ogmbb | 14 | 5 | Bugcrowd |
In Scope Assets:- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
Out of Scope Assets:- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
|
| + | https://bugcrowd.com/engagements/recroom-og | 15 | 0 | Bugcrowd |
In Scope Assets:- OTHER: https://rec.net/download
- OTHER: https://store.steampowered.com/app/471710/Rec_Room/
- OTHER: https://www.oculus.com/experiences/quest/2173678582678296
- OTHER: https://www.oculus.com/experiences/rift/1257029974329451
- OTHER: https://www.nintendo.com/us/store/products/rec-room-switch/
- IOS: https://apps.apple.com/app/id1450306065
- ANDROID: https://play.google.com/store/apps/details?id=com.AgainstGravity.RecRoom
- OTHER: https://store.playstation.com/en-us/product/UP2662-PPSA05532_00-6681199027107223
- OTHER: https://store.playstation.com/en-us/product/UP2662-CUSA08481_00-RECROOM000000001
- OTHER: https://www.xbox.com/en-us/games/store/rec-room/9pgpqk0xthrz
- OTHER: https://recroom.com/studio
- URL: https://rec.net/
- URL: https://*.rec.net/*
- URL: https://api.rec.net
- URL: https://devportal.rec.net/
|
| + | https://bugcrowd.com/engagements/sap-private-invite | 17 | 1 | Bugcrowd |
In Scope Assets:- URL: SAP SuccessFactors
- URL: SAP S/4HANA Cloud Public Edition
- URL: SAP S/4HANA Cloud Private Edition
- URL: SAP Integrated Business Planning for Supply Chain
- URL: SAP Cloud ALM
- URL: SAP Customer Data Cloud portfolio from Gigya
- URL: SAP S/4HANA migration cockpit
- URL: SAP Risk and Assurance Management
- URL: SAP Order Management for Sourcing and Availability
- URL: SAP Continuous Integration and Delivery
- URL: SAP Business Network for Logistics
- URL: SAP Order Management foundation
- URL: SAP Signavio
- URL: SAP Revenue Growth Optimization
- URL: SAP Omnichannel Promotion Pricing
- URL: SAP Enable Now
- URL: SAP Decentralized Identity Verification
Out of Scope Assets:- OTHER: The IAS Tenant (*.accounts.ondemand.com) (OOS)
|
| + | https://bugcrowd.com/engagements/securityrocks | 9 | 0 | Bugcrowd |
In Scope Assets:- URL: https://api.thesecurityteam.rocks
- URL: https://api.anytask.thesecurityteam.rocks
- URL: https://anytask.thesecurityteam.rocks
- URL: https://my.thesecurityteam.rocks
- ANDROID: https://play.google.com/store/apps/details?id=com.electroneum.mobile&hl=en_US
- IOS: https://apps.apple.com/us/app/electroneum/id1270774992
- OTHER: https://github.com/electroneum/electroneum/
- URL: https://legacy-blockexplorer.electroneum.com
- ANDROID: https://public.thesecurityteam.rocks/resources/app/android/etnapp-5.2.2-staging.apk
|
| + | https://bugcrowd.com/engagements/seek | 17 | 0 | Bugcrowd |
In Scope Assets:- URL: *.seek.com.au
- OTHER: https://seekcdn.com
- IOS: https://apps.apple.com/au/app/seek-jobs-job-search/id520400855
- ANDROID: https://play.google.com/store/apps/details?id=au.com.seek&hl=en_AU&gl=US
- URL: *.skinfra.xyz
- URL: *.outfra.xyz
- URL: *.sol-data.com
- URL: *.jobapi.net
- URL: *.seekpass.co
- URL: *.seekpass-staging.com
- URL: *.aips-internal.com
- URL: *.certsy.com
- URL: *.certsynonprod.com
- IOS: https://apps.apple.com/au/app/certsy/id1617796159
- ANDROID: https://play.google.com/store/apps/details?id=com.certsy.app
- URL: https://graphql.seek.com
- URL: https://auth.seek.com
|
| + | https://bugcrowd.com/engagements/sendbird-mbb | 10 | 0 | Bugcrowd |
In Scope Assets:- URL: https://dashboard.sendbird.com/
- URL: https://gate.sendbird.com
- URL: https://api-{app-id}.sendbird.com
- URL: https://ws-{app-id}.sendbird.com
- URL: https://desk-api-{region}.sendbird.com
- URL: https://ws-{app-id}.calls.sendbird.com
- URL: https://api-{app-id}.calls.sendbird.com
- URL: https://api-{app-id}.notifications.sendbird.com
- URL: https://sendbird.com/docs
- URL: https://sendbird.com
|
| + | https://bugcrowd.com/engagements/shipwire | 5 | 0 | Bugcrowd |
In Scope Assets:- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
|
| + | https://bugcrowd.com/engagements/shoppingcart | 3 | 1 | Bugcrowd |
In Scope Assets:- URL: https://1shoppingcart.com
- URL: https://mcssl.com
- URL: *.mcssl.com
Out of Scope Assets:- URL: *.1shoppingcart.com (OOS)
|
| + | https://bugcrowd.com/engagements/skroutz | 1 | 0 | Bugcrowd |
In Scope Assets:- URL: https://www.skroutz.gr/
|
| + | https://bugcrowd.com/engagements/skyscanner | 10 | 1 | Bugcrowd |
In Scope Assets:- IOS: Skyscanner iOS App
- ANDROID: Skyscanner Android App
- URL: gateway.skyscanner.net/*
- URL: skyscanner.net/hotels/book/*
- URL: skyscanner.net/*
- URL: partnerportal.skyscanner.net/*
- URL: *.skyscanner.net
- ANDROID: Skyscanner Android app
- IOS: Skyscanner iOS app
- OTHER: AWS Infrastructure
Out of Scope Assets:- OTHER: Corporate Email (*@skyscanner.net) (OOS)
|
| + | https://bugcrowd.com/engagements/snapnames | 2 | 1 | Bugcrowd |
In Scope Assets:- URL: https://snapnames.com/
- URL: https://www.namejet.com/
Out of Scope Assets:- URL: Anything not explicitly listed as "In Scope". (OOS)
|
| + | https://bugcrowd.com/engagements/sophos | 18 | 4 | Bugcrowd |
In Scope Assets:- OTHER: https://www.sophos.com/en-us/products/endpoint-antivirus/free-trial
- URL: https://central.sophos.com/
- IOT: Sophos Firewall (XG/XGS, SFOS) - Pre-auth RCE
- URL: https://central.sophos.com
- IOT: https://www.sophos.com/en-us/products/next-gen-firewall
- OTHER: https://www.sophos.com/en-us/products/endpoint-antivirus/free-trial
- OTHER: https://www.sophos.com/en-us/products/endpoint-antivirus/free-trial
- OTHER: https://www.sophos.com/en-us/products/endpoint-antivirus/free-trial
- IOS: https://www.sophos.com/en-us/products/mobile-control/free-trial
- ANDROID: https://www.sophos.com/en-us/products/mobile-control/free-trial
- IOT: https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/ThreatAnalysisCenter/Integrations/Sophos/NDR/index.html
- IOT: https://www.sophos.com/en-us/products
- CIDR: https://www.sophos.com/
- OTHER: SOPHOS/Secureworks : Taegis
- OTHER: SOPHOS/Secureworks : Redcloak
- URL: 3rd party services hosted at *.sophos.com
- OTHER: Sophos IT Infrastructure (all other Sophos domains)
- OTHER: Any Other Sophos Product or Service
Out of Scope Assets:- URL: community.sophos.com (OOS)
- OTHER: Any Cyberoam Product or Service (OOS)
- URL: sophos.atlassian.net (Public service desk) (OOS)
- OTHER: SPF/DKIM/DMARC issues (OOS)
|
| + | https://bugcrowd.com/engagements/soundcloud | 10 | 15 | Bugcrowd |
In Scope Assets:- ANDROID: https://play.google.com/store/apps/details?id=com.soundcloud.android&hl=en&gl=US
- URL: https://soundcloud.com
- URL: *.soundcloud.org
- URL: *.s-cloud.net
- IOS: https://apps.apple.com/us/app/soundcloud-music-audio/id336353151
- URL: https://connect.soundcloud.com
- URL: *.services.repostnetwork.com
- URL: api-*.soundcloud.com
- URL: http://artists.soundcloud.com/
- URL: https://soundcloud.org
Out of Scope Assets:- URL: blog.soundcloud.com (OOS)
- URL: status.soundcloud.com (OOS)
- URL: help.soundcloud.com (OOS)
- URL: community.soundcloud.com (OOS)
- URL: copyright.soundcloud.com (OOS)
- URL: advertising.soundcloud.com (OOS)
- OTHER: https://soundcloudmail.com (OOS)
- URL: press.soundcloud.com (OOS)
- URL: https://scdrops.soundcloud.com (OOS)
- URL: https://promote.soundcloud.com (OOS)
- URL: contest.soundcloud.com (OOS)
- URL: playback.soundcloud.com (OOS)
- URL: jobs.soundcloud.com (OOS)
- URL: playerone.soundcloud.com (OOS)
- URL: support.soundcloud.org (OOS)
|
| + | https://bugcrowd.com/engagements/spacex | 1 | 0 | Bugcrowd |
In Scope Assets:- URL: SpaceX and Starlink assets (target information and rewards detailed above on the brief)
|
| + | https://bugcrowd.com/engagements/square | 8 | 8 | Bugcrowd |
In Scope Assets:- URL: *.square.com
- URL: *.squareup.com
- URL: https://square.online
- URL: https://www.weebly.com/
- ANDROID: https://play.google.com/store/apps/details?id=com.squareup&hl=en_US&gl=US
- IOS: https://apps.apple.com/us/app/square-point-of-sale-pos/id335393788
- HARDWARE: Square Register
- HARDWARE: Square Terminal
Out of Scope Assets:- URL: https://afterpay.com (OOS)
- URL: https://cash.me (OOS)
- URL: https://designers.weebly.com/ (OOS)
- URL: https://tidal.com/ (OOS)
- OTHER: http://community.squareup.com (OOS)
- ANDROID: https://play.google.com/store/apps/details?id=com.squareup.cash (OOS)
- IOS: https://itunes.apple.com/us/app/cash-app/id711923939?mt=8 (OOS)
- URL: Any vulnerabilities found in Third-party software (OOS)
|
| + | https://bugcrowd.com/engagements/squareopensource | 16 | 0 | Bugcrowd |
In Scope Assets:- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
- OTHER: REDACTED
|
| + | https://bugcrowd.com/engagements/statuspage | 2 | 0 | Bugcrowd |
In Scope Assets:- URL: https://manage.statuspage.io
- URL: *.statuspage.io
|
| + | https://bugcrowd.com/engagements/stellantis | 3 | 1 | Bugcrowd |
In Scope Assets:- OTHER: REDACTED
- URL: REDACTED
- URL: REDACTED
Out of Scope Assets: |
| + | https://bugcrowd.com/engagements/stiltsoft | 13 | 1 | Bugcrowd |
In Scope Assets:- URL: https://marketplace.atlassian.com/apps/27447/table-filter-and-charts-for-confluence?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1214110/courses-and-quizzes-lms-for-confluence?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1210934/awesome-graphs-for-bitbucket?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1210934/awesome-graphs-for-bitbucket?hosting=datacenter
- URL: https://marketplace.atlassian.com/apps/1222084/spreadsheet-issue-field-editor?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/27447/table-filter-and-charts-for-confluence?hosting=datacenter
- URL: https://marketplace.atlassian.com/apps/1212507/smart-attachments-for-jira?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1210766/teamcity-integration-for-jira?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1214971/handy-macros-for-confluence?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1222102/webhook-manager-for-confluence-cloud?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1224994/poll-maker-for-confluence?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1237512/latex-math-for-confluence?hosting=cloud
- URL: https://marketplace.atlassian.com/apps/1237729/checklist-for-jira-cloud-smart-todo-lists?hosting=cloud
Out of Scope Assets:- URL: https://*.atlassian.com (OOS)
|
| + | https://bugcrowd.com/engagements/t-mobile | 49 | 5 | Bugcrowd |
In Scope Assets:- OTHER: Self Register Account on T-Mobile Microsoft Entra ID
- CIDR: Cellular Network Auth Bypass via Web/Mobile App
- CIDR: T&P Servers
- CIDR: Internal Server via Internet Network
- URL: https://portal.lrs.t-mobile.com
- URL: https://account.t-mobile.com
- URL: https://metrobyt-mobile.com
- URL: https://sprint.com
- URL: https://t-mobile.com
- URL: https://api.t-mobile.com
- URL: https://tfb.t-mobile.com
- URL: https://devedge.t-mobile.com
- URL: https://tess.service-now.com
- URL: https://digits.t-mobile.com
- URL: https://t-mobile.com
- URL: https://metrobyt-mobile.com
- URL: https://sprint.com
- URL: https://api.vistarmedia.com
- URL: https://packages.cortexpowered.com
- URL: https://api.vistarmedia.eu
- URL: https://production-dynam-creative.vistarmedia.com
- URL: https://storybook.vistarmedia.com
- URL: https://creatives.vistarmedia.com
- URL: https://sflower.cortexpowered.com
- URL: https://production-delivery-metrics-svc.vistarmedia.com
- URL: https://maps.vistarmedia.com
- URL: https://transcodes-cdn.vistarmedia.com
- URL: https://assets-cdn.vistarmedia.com
- URL: https://docker-staging.adstruc.com
- URL: https://staging-trafficking.vistarmedia.com
- URL: https://job-svc-b.vistarmedia.com
- URL: https://docsite.vistarmedia.com
- URL: https://sfleet.cortexpowered.com
- URL: https://audience-builder.vistarmedia.com
- URL: https://staging-login.vistarmedia.com
- URL: https://clients.adstruc.com
- URL: https://demo.adstruc.com
- OTHER: Assets labeled as in-scope
- IOS: https://apps.apple.com/us/app/t-mobile/id561625752
- ANDROID: https://play.google.com/store/apps/details?id=com.tmobile.pr.mytmobile
- IOS: https://apps.apple.com/us/app/syncup-drive/id1576574297
- ANDROID: https://play.google.com/store/apps/details?id=com.tmobile.drive
- IOS: https://apps.apple.com/us/app/syncup-kids/id1503394062
- ANDROID: https://play.google.com/store/apps/details?id=com.tmobile.kids
- IOS: https://apps.apple.com/us/app/syncup-tracker/id1526380335
- ANDROID: https://play.google.com/store/apps/details?id=com.tmobile.syncuptag
- OTHER: https://digits.t-mobile.com/
- IOS: https://apps.apple.com/us/app/t-life-t-mobile-tuesdays/id1111876388
- ANDROID: https://play.google.com/store/apps/details?id=com.tmobile.tuesdays&hl=en_US&gl=US
Out of Scope Assets:- URL: *.sprint.net (OOS)
- URL: https://techapps.t-mobile.com (OOS)
- URL: https://wfmmobile.t-mobile.com (OOS)
- URL: https://*.buildbot.t-mobile.com (OOS)
- OTHER: Any domain, property, product, protocol, or service of the app/hardware/software version not explicitly listed in the In-Scope section is out of scope; submissions are welcome but not guaranteed for the bounty/bonus. (OOS)
|
| + | https://bugcrowd.com/engagements/tamedia | 12 | 7 | Bugcrowd |
In Scope Assets:- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
- URL: REDACTED
Out of Scope Assets:- URL: REDACTED (OOS)
- OTHER: REDACTED (OOS)
- OTHER: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
- URL: REDACTED (OOS)
|
| + | https://bugcrowd.com/engagements/tempusex-public-mbb-og | 6 | 0 | Bugcrowd |
In Scope Assets:- URL: https://biocorellc.com
- URL: https://tempus-ex.com
- URL: https://infiniteathlete.ai
- URL: https://platform.infiniteathlete.ai
- URL: https://docs.tempus-ex.com
- OTHER: https://github.com/tempus-ex
|
| + | https://bugcrowd.com/engagements/tesla | 11 | 14 | Bugcrowd |
In Scope Assets:- URL: *.tesla.cn
- URL: *.tesla.services
- IOS: https://apps.apple.com/us/app/tesla/id582007913
- URL: *.tesla.com
- URL: *.teslamotors.com
- URL: Any host verified to be owned by Tesla Motors Inc. (domains/IP space/etc.)
- URL: *.solarcity.com
- URL: *.teslainsuranceservices.com
- ANDROID: https://play.google.com/store/apps/details?id=com.teslamotors.tesla&hl=en_US&gl=US
- HARDWARE: Tesla Energy hardware you own
- HARDWARE: Tesla vehicle hardware that you own
Out of Scope Assets:- URL: employeefeedback.tesla.com (OOS)
- URL: energysupport.tesla.com (you can report vulnerabilities to bugbounty.zoho.com) (OOS)
- URL: https://engage.tesla.com/ (OOS)
- URL: *.engage.tesla.com (OOS)
- URL: feedback.tesla.com (OOS)
- URL: feedback.teslamotors.com (OOS)
- URL: ir.tesla.com (OOS)
- URL: ir.teslamotors.com (OOS)
- URL: mkto.teslamotors.com (OOS)
- URL: shop.eu.teslamotors.com (OOS)
- URL: service.tesla.com/docs/* (OOS)
- URL: service.tesla.cn/docs/* (OOS)
- URL: Any domains from acquisitions, such as maxwell.com (OOS)
- URL: Any other third-party websites hosted by non-Tesla entities (OOS)
|
| + | https://bugcrowd.com/engagements/thefork-b2c-wng | 13 | 5 | Bugcrowd |
In Scope Assets:- URL: https://www.thefork.com/
- URL: https://m.thefork.com
- URL: https://blog.thefork.com/
- URL: https://api.thefork.com
- URL: https://api.lafourchette.com
- URL: https://review-api.lafourchette.com
- URL: https://google-reserve-api.thefork.io
- URL: https://m-api.lafourchette.com
- ANDROID: https://play.google.com/store/apps/details?id=com.lafourchette.lafourchette
- IOS: https://apps.apple.com/app/thefork-restaurants-bookings/id424850908
- URL: https://*.tools.thefork.tech
- URL: https://www.restaurant-information.com
- URL: https://widget.thefork.com
Out of Scope Assets:- URL: https://*.eltenedor.* (OOS)
- URL: https://www.thefork.* (OOS)
- URL: Customer semi-login / PartialLogin feature (OOS)
- URL: https://module.thefork.com (OOS)
- URL: https://www.lafourchette.com (OOS)
|