Scope Data

In Scope Assets:

• URL: https://www.thefork.com/
• URL: https://m.thefork.com
• URL: https://blog.thefork.com/
• URL: https://api.thefork.com
• URL: https://api.lafourchette.com
• URL: https://review-api.lafourchette.com
• URL: https://google-reserve-api.thefork.io
• URL: https://m-api.lafourchette.com
• IOS: https://apps.apple.com/app/thefork-restaurants-bookings/id424850908
• ANDROID: https://play.google.com/store/apps/details?id=com.lafourchette.lafourchette
• URL: https://*.tools.thefork.tech
• URL: https://www.restaurant-information.com
• URL: https://widget.thefork.com

Out of Scope Assets:

• URL: https://*.eltenedor.* (OOS)
• URL: https://www.thefork.* (OOS)
• URL: Customer semi-login / PartialLogin feature (OOS)
• URL: module.thefork.com (OOS)
• URL: https://www.lafourchette.com (OOS)

In Scope Assets:

• URL: https://desk.thetradedesk.com
• URL: https://api.thetradedesk.com
• URL: https://auth.thetradedesk.com
• URL: https://www.thetradedesk.com
• URL: https://www.thecurrent.com
• URL: https://partner.thetradedesk.com
• URL: https://atlassian.thetradedesk.com
• URL: https://www.adsrvr.org
• URL: https://ops-sso.adsrvr.org/
• URL: https://myopenpass.com
• URL: https://auth.myopenpass.com
• URL: https://partner.myopenpass.com
• URL: https://atlantis-ext.myopenpass.com
• URL: https://prod.uidapi.com
• URL: https://prod.euid.eu
• URL: https://core-prod.uidapi.com
• URL: https://optout-prod.uidapi.com
• URL: https://optout.prod.euid.eu
• URL: https://transparentadvertising.com
• URL: https://transparentadvertising.eu
• URL: https://portal.unifiedid.com
• URL: *.thetradedesk.com
• URL: *.adsrvr.org
• URL: https://cdn.myopenpass.com
• URL: https://demo.myopenpass.com
• URL: https://cstg-integ.uidapi.com
• URL: https://esp-jssdk-integ.uidapi.com
• URL: https://esp-srvonly-integ.uidapi.com
• URL: https://example-jssdk-integ.uidapi.com
• URL: https://example-srvonly-integ.uidapi.com
• URL: https://secure-signals-jssdk-integ.uidapi.com
• URL: https://secure-signals-srvonly-integ.uidapi.com

Out of Scope Assets:

• URL: https://investors.thetradedesk.com (OOS)
• URL: https://ask.thetradedesk.com (OOS)
• URL: https://openpath.thetradedesk.com (OOS)
• URL: https://stationery.thetradedesk.com (OOS)
• URL: https://bynder.thetradedesk.com (OOS)
• URL: https://www.thetradedeskedgeacademy.com (OOS)
• URL: https://unifiedid.com (OOS)
• URL: https://euid.eu (OOS)
• URL: argocd.*.uidapi.com (OOS)
• OTHER: Applications that resolve to *.skilljarapp.com (OOS)
• OTHER: Applications that resolve to *.smartling.com (ex: id.thetradedesk.com) (OOS)
• OTHER: Applications that resolve to *.quilvem.com (ex: update.adsrvr.org) (OOS)
• OTHER: Applications that resolve to *.okta.com (ex: openpath-login.thetradedesk.com) (OOS)
• OTHER: Anything not explicitly listed as Tier 1 or Tier 2 (OOS)

In Scope Assets:

• URL: https://api.thousandeyes.com/
• URL: https://app.thousandeyes.com/
• URL: https://www.thousandeyes.com/
• OTHER: ThousandEyes Enterprise Agent
• OTHER: ThousandEyes Endpoint Agent

Out of Scope Assets:

• URL: https://blog.thousandeyes.com/ (OOS)
• URL: https://app.thousandeyes.com/sfdc/community (OOS)

In Scope Assets:

• URL: https://tidal.com/
• URL: *.wimpmusic.com
• URL: *.tidalhifi.com
• URL: api.tidal.com
• URL: *tidalhi.fi
• URL: *.tdl.sh
• IOS: Tidal Client for iOS
• ANDROID: Tidal Client for Android
• OTHER: https://offer.tidal.com/download
• OTHER: Tidal Official Clients (e.g. Sonos integration, Tesla integration, etc.)

Out of Scope Assets:

• OTHER: https://developer.tidal.com (OOS)
• OTHER: https://embed.tidal.com (OOS)

In Scope Assets:

• URL: trello.com
• URL: api.trello.com
• URL: *.trello.services
• OTHER: Trello Desktop Client
• ANDROID: Trello Mobile App for Android
• IOS: Trello Mobile App for iOS
• URL: https://butlerfortrello.com/
• URL: https://trello.com/power-ups/55a5d917446f517774210011/calendar-power-up
• URL: https://trello.com/power-ups/55a5d917446f517774210012/card-aging
• URL: https://trello.com/power-ups/5c2462c384ab8949b1724a20/list-limits
• URL: https://trello.com/power-ups/55a5d917446f517774210013/voting
• URL: https://trello.com/power-ups/6052d130068a8c0de7b022b4
• URL: Trello Third Party Powerups

Out of Scope Assets:

• URL: http://bugcrowd.com/atlassianapps (OOS)
• URL: e.trello.com (OOS)
• URL: help.trello.com (OOS)
• URL: trello-attachments.s3.amazonaws.com (OOS)

In Scope Assets:

• URL: https://api.production.cde.tamg.cloud
• URL: https://partnerapi.tapayments.com
• URL: https://partnerapi1.tapayments.com
• URL: https://partnerapi2.tapayments.com
• URL: https://walletproxy.tapayments.com
• URL: https://walletproxy1.tapayments.com
• URL: https://walletproxy2.tapayments.com
• URL: https://www.tripadvisor.com
• URL: Localized versions of www.tripadvisor.com available from the site's header or footer
• URL: https://api.tripadvisor.com
• URL: https://service.platform.tripadvisor.com
• URL: https://gwapi.tripadvisor.com
• URL: https://gwapi1.tripadvisor.com
• URL: https://gwapi2.tripadvisor.com
• URL: Any publicly accessible Tripadvisor web asset or host (domains, ip space, etc) - except for assets listed as Out-of-Scope below.
• ANDROID: https://play.google.com/store/apps/details?id=com.tripadvisor.tripadvisor&hl=en
• IOS: https://apps.apple.com/us/app/tripadvisor-plan-book-trips/id284876795
• URL: https://rentals.tripadvisor.com
• URL: https://*.vacationhomerentals.com
• URL: https://*.holidaylettings.com
• URL: https://*.flipkey.com
• URL: https://*.niumba.com
• URL: https://*.housetrip.com
• IOS: https://itunes.apple.com/us/app/vacation-rentals-owner-app-by-tripadvisor/id1045663228?mt=8
• URL: http://marlo.ext.tripadvisor.com
• URL: https://*.bokundemo.com
• URL: https://*.bokuntest.com

Out of Scope Assets:

• URL: *.experiences.zone (OOS)
• URL: *.bokun.team (OOS)
• URL: *.bokun.tools (OOS)
• URL: *.bokun.website (OOS)
• URL: *.bokunmobile.website (OOS)
• URL: ir.tripadvisor.com (OOS)
• URL: *.tripadviser.at (OOS)
• URL: *.tripadvisor.cn (OOS)
• URL: www.tripadvisor.*/Trips (OOS)
• URL: www.tripadvisor.*/Mobile* (OOS)
• URL: www.tripadvisor.*/engineering (OOS)
• URL: www.tripadvisor.*/WidgetEmbed-* (OOS)
• URL: spotlight-dev.tripadvisor.com (OOS)
• URL: spotlight.tripadvisor.* (OOS)
• URL: careers.tripadvisor.com (OOS)
• URL: *.tripadvisoradexpress.* (OOS)
• URL: *.tripadvisorwifi.* (OOS)
• URL: *.bokun.io (OOS)
• URL: *.bokun.is (OOS)
• URL: *.bokun.com (OOS)
• URL: *.bokun.app (OOS)
• URL: *.bokun.eu (OOS)
• URL: taplus.* (OOS)
• URL: tripadvisor-plus.* (OOS)
• URL: tripadvisorplus.* (OOS)
• URL: travelermail.com (OOS)

In Scope Assets:

• URL: chainabuse-staging.com
• URL: api.chainabuse-staging.com

In Scope Assets:

• URL: https://www.20min.ch
• URL: https://coral.20min.ch/
• URL: https://api.20min.ch/
• URL: https://videoplayer.20min.ch
• URL: https://partner-feeds.20min.ch
• URL: https://screenplayer.20min.ch
• URL: https://audio.20min.ch/

Out of Scope Assets:

• URL: https://tgt.tamedia.ch (OOS)
• URL: http://auth.20min.ch (OOS)
• URL: https://cre-api.tamedia.ch (OOS)
• URL: https://track.20min.ch (OOS)
• URL: Social Media Links (older than 2 years) (OOS)
• OTHER: Subdomain Takeover (OOS)
• OTHER: DMARC, SPF, DKIM (OOS)
• URL: https://*.connect.ringier.ch (OOS)
• URL: *.onelog.ch (OOS)
• URL: *.20min-tv.ch (OOS)
• URL: *.newsnetz.tv (OOS)
• URL: *.appuser.ch (OOS)
• URL: *.iagentur.ch (OOS)
• URL: *.streamboat.ch (OOS)
• URL: *.streamboatserver.ch (OOS)
• OTHER: Other Domains and Subdomains not specifically in scope (OOS)

In Scope Assets:

• URL: https://api.twilio.com
• URL: Twilio APIs
• OTHER: https://tsock.us1.twilio.com
• OTHER: *.sip.*.twilio.com
• OTHER: https://www.twilio.com/blog/get-started-webrtc
• OTHER: https://www.twilio.com/docs/libraries
• URL: https://www.twilio.com/console
• OTHER: Twilio CDNs (static*.twilio.com)
• URL: https://twilio.com/blog
• URL: https://help.twilio.com
• URL: https://sendgrid.com
• URL: https://app.sendgrid.com/
• URL: https://signup.sendgrid.com/
• URL: https://api.sendgrid.com
• URL: https://mc.sendgrid.com/
• OTHER: smtp.sendgrid.net
• ANDROID: https://authy.com/download/
• IOS: https://authy.com/download/
• URL: https://www.twilio.com/docs/verify/api
• URL: https://www.twilio.com/docs/authy/api
• URL: https://app.segment.com/
• URL: https://api.segment.io/
• OTHER: https://segment.com/docs/sources/
• URL: Any host/web property verified to be owned by Twilio et al.

Out of Scope Assets:

• OTHER: All Twilio acquisitions until explicitly noted under the in-scope targets (OOS)
• OTHER: Third-party services (OOS)
• URL: Ytica and its assets (OOS)
• OTHER: Electric Imp and its assets (OOS)
• OTHER: TwimlBins (OOS)
• URL: All Kurento domains (OOS)
• OTHER: Twilio Quest (OOS)
• OTHER: Twilio Wireless (OOS)
• URL: Demo websites e.g. lab.authy.com (OOS)
• URL: zipwhip.com (OOS)
• URL: twil.io (OOS)
• URL: support.twilio.com (OOS)
• URL: support.sendgrid.com (OOS)
• URL: segment.com/contact (OOS)
• URL: status.sendgrid.com (OOS)
• URL: status.twilio.com (OOS)
• URL: status.segment.com (OOS)
• URL: signal.twilio.com (OOS)
• URL: twilio.com/labs (OOS)
• URL: twiliotraining.com (OOS)
• URL: surveys.twilio.com (OOS)
• URL: community.segment.com (OOS)
• URL: segment.com/jobs (OOS)
• URL: twilio.com/en-us/company/jobs (OOS)
• URL: talks.twilio.com (OOS)
• URL: webinars.segment.com (OOS)
• URL: transform.twilio.com (OOS)
• URL: webinars.twilio.com (OOS)
• URL: store.twilio.com (OOS)
• URL: apjevents.twilio.com (OOS)
• URL: events.cdpweek.com (OOS)

In Scope Assets:

• URL: https://opendata.test-socrata.com/admin/gateway
• OTHER: https://opendata-demo.test-socrata.com
• OTHER: https://opendata.test-socrata.com

In Scope Assets:

• URL: http://my.mintmobile.com/
• URL: http://my.ultramobile.com
• URL: https://my.mintmobile.com
• URL: https://my.ultramobile.com

In Scope Assets:

• ANDROID: https://play.google.com/store/apps/details?id=com.uvnv.mintsim
• IOS: https://apps.apple.com/us/app/mint-mobile/id1295303441

In Scope Assets:

• URL: https://mintmobile.com
• URL: https://ultramobile.com

In Scope Assets:

• URL: https://web-retailer-portal.ultramobile.com

In Scope Assets:

• URL: https://www.underarmour.com
• URL: https://www.underarmour.co.uk
• IOS: https://apps.apple.com/us/app/under-armour/id1092704571
• ANDROID: https://play.google.com/store/apps/details?id=com.ua.shop&hl=en
• URL: https://api.shop.ua.com/graphql
• URL: https://www.underarmournext.co.uk/
• URL: https://underarmournext.com/
• OTHER: https://*.api.ua.com/
• URL: https://consumer-sustainability.underarmour.com/en
• URL: https://vpe-us.underarmour.com/
• URL: https://www.underarmour.cn
• URL: http://www.underarmour.com.sg
• URL: https://underarmour.co.kr
• URL: https://armourhouse.underarmour.com

Out of Scope Assets:

• URL: www.underarmour.com/en-us/affiliate-home (OOS)
• URL: www.uabiz.com (OOS)
• URL: investor.underarmour.com (OOS)
• URL: productsafety.underarmour.com (OOS)
• URL: uabusiness.force.com (OOS)
• URL: www.underarmour.jobs (OOS)
• URL: blog.underarmour.com (OOS)
• URL: www.uateamcatalogs.com (OOS)
• URL: www.uaretail.com (OOS)
• URL: www.plankindustries.com (OOS)

In Scope Assets:

• URL: https://apphouse.underarmour.com/
• OTHER: http://ourhouse.underarmour.com/
• URL: https://transfer.underarmour.com/
• URL: https://vpe-us.underarmour.com/
• URL: https://snc.underarmour.com/
• URL: https://snctest-s.underarmour.com/
• URL: https://snctest-c.underarmour.com/
• URL: https://supplier.underarmour.com/
• URL: https://vtxapp9p.underarmour.com/
• URL: https://vtxapp9q.underarmour.com/
• URL: https://vtxapp9d.underarmour.com/
• URL: https://vtxappd.underarmour.com/
• OTHER: 204.29.196.0/23
• OTHER: 3.223.149.182
• OTHER: 3.230.219.249
• OTHER: 34.237.130.2
• OTHER: 34.239.5.227
• OTHER: 52.220.158.49
• OTHER: 52.76.174.107
• OTHER: 52.67.69.35
• URL: 52.44.176.187
• OTHER: 52.86.17.52
• OTHER: 54.83.32.16
• OTHER: 13.58.121.166
• OTHER: 3.133.230.28
• OTHER: 3.19.172.158

Out of Scope Assets:

• OTHER: investor.underarmour.com (OOS)
• OTHER: careers.underarmour.com (OOS)
• URL: www.underarmour.<country> (OOS)
• URL: www.underarmour.com/en-us/affiliate-home (OOS)
• URL: www.uabiz.com (OOS)
• URL: productsafety.underarmour.com (OOS)
• URL: uabusiness.force.com (OOS)
• URL: www.underarmour.jobs (OOS)
• URL: blog.underarmour.com (OOS)
• URL: www.uateamcatalogs.com (OOS)
• URL: www.uaretail.com (OOS)
• URL: uaallaccess.com (OOS)
• URL: www.plankindustries.com (OOS)

In Scope Assets:

• URL: https://id.unity.com
• URL: https://api.unity.com
• URL: https://cloud.unity.com
• URL: https://store.unity.com
• URL: https://pay.unity.com
• OTHER: player-login.unity.com
• OTHER: https://unity3d.com/get-unity/download/archive

In Scope Assets:

• URL: https://www.upwork.com
• ANDROID: Upwork - Android Application
• IOS: Upwork - iOS Application
• HARDWARE: Upwork Dash Messenger Desktop Version (www.upwork.com/downloads)
• URL: www.upwork.com/api
• URL: Direct Contracts
• URL: api.upwork.com/graphql
• URL: Upwork - Marketplace Portal
• URL: Upwork - Messages
• IOS: Upwork - Mobile Application IOS
• ANDROID: Upwork - Mobile Application Android
• URL: Upwork - api.upwork.com/graphql

Out of Scope Assets:

• OTHER: Social media hijacking (OOS)
• OTHER: Any subdomain/domain/property not listed in the 'in scope' section, is out of scope. (OOS)
• OTHER: Any Third-party Services (OOS)
• OTHER: support.upwork.com (OOS)
• OTHER: community.stage.upwork.com (OOS)
• OTHER: community.upwork.com (OOS)
• OTHER: stage.upwork.com (OOS)
• OTHER: e.upwork.com (OOS)
• OTHER: status.upwork.com (OOS)
• OTHER: signature.upwork.com (OOS)
• OTHER: careers.upwork.com (OOS)
• URL: tip.upwork.com (OOS)
• OTHER: tip.upwork.com (OOS)
• OTHER: pardot.upwork.com (OOS)

In Scope Assets:

• URL: https://www.usaa.com
• URL: https://mobile.usaa.com
• URL: https://api.usaa.com/
• OTHER: https://partners.usaa.com
• ANDROID: https://play.google.com/store/apps/details?id=com.usaa.mobile.android.usaa&hl=en
• IOS: https://apps.apple.com/us/app/usaa-mobile/id312325565
• URL: https://aemdam.usaa360.com/
• URL: https://api-a.usaa.com
• URL: https://authn.usaa.com/
• URL: https://b2bapi-a.usaa.com
• URL: https://b2bapi.usaa.com
• URL: https://b2blsapi-a.usaa.com
• URL: https://b2blsapi.usaa.com
• URL: https://content.usaa.com
• URL: https://d1.utv.usaa.com
• URL: https://d2.utv.usaa.com
• URL: https://externalconnect.usaa.com/
• URL: https://guest.usaa.com/
• OTHER: https://l.usaa.com/
• OTHER: https://liveassist.usaa.com/
• OTHER: https://liveassist11.usaa.com/
• OTHER: https://liveassist12.usaa.com/
• OTHER: https://liveassist21.usaa.com/
• OTHER: https://liveassist22.usaa.com/
• URL: https://liveassist23.usaa.com
• URL: https://liveassist24.usaa.com
• URL: https://mapi-a.usaa.com
• URL: https://mapi.usaa.com/
• URL: https://mguest.usaa.com/
• OTHER: https://mobileapps.usaa.com/
• URL: https://mstatic.usaa.com
• URL: https://mydesktop.usaa.com
• URL: https://myvpn.usaa.com
• URL: https://nice.wfmusaa.com
• OTHER: https://nvoice.usaa.com/
• OTHER: https://s.usaa.com/
• URL: https://s1.utv.usaa.com
• URL: https://s2.utv.usaa.com
• URL: https://securemail.usaa.com
• URL: https://static.usaa.com
• URL: https://www.usaainsurance.com/
• URL: https://utv.usaa.com
• URL: https://v.utv.usaa.com
• URL: https://vendorss.usaa.com
• URL: https://vlagg.usaa.com
• URL: https://vlapi.usaa.com
• OTHER: https://webmail.usaa.com
• URL: https://ws.usaa.com
• URL: https://wsmbr.usaa.com/

In Scope Assets:

• OTHER: epptool-ctld.verisign-grs.com (EPP service; DNS related)
• OTHER: a.root-servers.net (DNS service; DNS related)
• OTHER: j.root-servers.net (DNS service; DNS related)
• OTHER: *.gtld-servers.net (DNS service; DNS related)
• URL: https://www.verisign.com
• URL: https://youcouldbe.com
• URL: https://blog.verisign.com
• URL: https://namestudioforsocial.com/
• URL: https://namestudio.com
• OTHER: https://www.verisign.com
• OTHER: *.verisign-grs.com (DNS service; DNS related)

In Scope Assets:

• IOS: https://apps.apple.com/us/app/viator-tours-activities/id434832826
• ANDROID: https://play.google.com/store/apps/details?id=com.viator.mobile.android&hl=en_US&gl=US
• URL: https://supplier.viator.com/
• URL: https://viatorapi.viator.com/service/directory
• URL: https://www.toursgds.com/
• URL: https://www.toursgds.com/ToursGdsService?wsdl
• URL: https://www.toursgds.com/SupplierService?wsdl
• URL: https://partners.viator.com
• URL: https://travelagents.viator.com
• URL: https://help.supplier.viator.com/en
• URL: https://kiwi.partner.viator.com
• URL: https://*.viatorinc.com
• URL: https://selector.viator.com
• URL: https://partnerhelp.viator.com/
• URL: https://*.viator.com

Out of Scope Assets:

• OTHER: *.rc.viator.com (OOS)
• URL: *.sandbox.viator.com (OOS)
• URL: *.partner.viator.com (OOS)
• URL: agentcenter.viator.com (OOS)
• URL: operatorresources.viator.com (OOS)
• URL: partnerresources.viator.com (OOS)
• OTHER: api.tapayments.com (OOS)

In Scope Assets:

• URL: *.volkswagen.de

Out of Scope Assets:

• URL: https://erwin.volkswagen.de (OOS)

In Scope Assets:

• IOS: Vox Cinemas iOS
• ANDROID: Vox Cinemas Android
• URL: https://uae.voxcinemas.com/
• URL: https://www.skidxb.com/
• URL: https://www.magicplanetmena.com/

Out of Scope Assets:

• URL: http://www.theplaymania.com/ (OOS)

In Scope Assets:

• URL: https://www.networksolutions.com
• URL: https://www.bluehost.com/
• URL: https://www.hostgator.com/

Out of Scope Assets:

• URL: *.web.com (OOS)
• URL: *.register.com (OOS)
• URL: *.networksolutions.com (OOS)
• URL: https://app.gator.com/ (OOS)
• URL: *.bluehost.com (OOS)
• URL: *.hostgator.com (OOS)
• URL: app.web.com (OOS)

In Scope Assets:

• URL: https://transferwise.com
• URL: *.transferwise.com
• URL: https://wise.com
• URL: *.wise.com
• IOS: https://apps.apple.com/us/app/wise-ex-transferwise/id612261027
• ANDROID: https://play.google.com/store/apps/details?id=com.transferwise.android&hl=en_US&gl=US
• OTHER: AWS infrastructure and services in use by Wise (eg: S3 buckets)
• OTHER: https://github.com/transferwise/*

Out of Scope Assets:

• URL: Wise Affiliate Program (OOS)
• URL: Third party services not hosted by Wise (OOS)
• OTHER: Any Github asset not under the “transferwise” organization (OOS)
• URL: Third party authentication services (eg: Facebook and Google) (OOS)
• URL: https://transferwise.com/help/contact (OOS)
• URL: https://wise.com/help/contact (OOS)
• URL: *.tw.com (OOS)
• URL: *.tw.ee (OOS)
• ANDROID: Non-current version of the Android app (OOS)
• IOS: Non-current version of the iOS app (OOS)
• URL: *.transferwise.tech (OOS)
• URL: brand.wise.com (OOS)
• URL: links.wise.com (OOS)
• URL: widgets.transferwise.com (OOS)
• URL: brand.transferwise.com (OOS)
• URL: bootstrap.transferwise.com (OOS)
• URL: links.transferwise.com (OOS)
• URL: status.wise.com (OOS)
• URL: status.transferwise.com (OOS)
• URL: tech.transferwise.com (OOS)

In Scope Assets:

• URL: REDACTED
• URL: REDACTED
• ANDROID: REDACTED
• IOS: REDACTED

In Scope Assets:

• URL: https://auth.wyze.com
• URL: https://my.wyze.com
• URL: https://api.wyzecam.com
• HARDWARE: Wyze Cam V3

In Scope Assets:

• URL: https://home.xfinity.com
• URL: Internet.xfinity.com
• URL: *-cvr-aws-*.sys.comcast.net
• URL: *signalservice.comcast.net
• URL: *.dh-commerce.com
• URL: *.ssr.ccp.xcal.tv
• URL: orc-xfi.com
• URL: *.xfiplatform.com
• IOS: https://apps.apple.com/us/app/xfinity/id1178765645
• IOS: Xfinity iOS mobile app
• ANDROID: https://play.google.com/store/apps/details?id=com.xfinity.digitalhome&hl=en_US&gl=US
• ANDROID: Xfinity Android mobile app
• URL: xhomeapi-*.codebig2.net
• URL: xhomeapi-*.cloud.comcast.net
• HARDWARE: Xfinity Home Hardware (items listed below in brief)
• IOT: Xfinity Home cameras
• URL: speedtest.xfinity.com
• URL: siorc.xfinity.com
• URL: smartinet.xfinity.com
• URL: gw.api.dh.comcast.com
• HARDWARE: xFi Gateways (e.g., XB3, XB6, XB7)
• HARDWARE: xFi Pods
• URL: https://csp-prod.codebig2.net
• URL: csp-pci.prod.codebig2.net
• URL: aiq-prod.codebig2.net
• URL: *.xfinityhome.com

Out of Scope Assets:

• IOT: 3rd Party Devices (known as Works with Xfinity) (OOS)
• URL: oauth.xfinity.com (OOS)
• URL: https://login.xfinity.com (OOS)
• URL: *.xerxessecure.com (OOS)
• URL: *.cimcontent.net (OOS)
• URL: *.identity.xfinity.com (OOS)
• URL: \*\business.comcast.com (OOS)
• URL: *.hfc.comcastbusiness.net (OOS)
• URL: *.hsd1.*.comcast.net (OOS)
• URL: *.pulseinsights.com (OOS)
• URL: *.wurfulcloud.com (OOS)
• URL: *.appcenter.ms (OOS)
• URL: *.kampyle.com (OOS)
• URL: *.demdex.net (OOS)
• URL: *.openx.net (OOS)
• URL: *.criteo.net (OOS)
• URL: *.webcontentassessor.com (OOS)
• URL: *.amazon-adsystem.com (OOS)
• URL: *.adobedtm.com (OOS)
• URL: *.adnxs.com (OOS)
• URL: *.fwmrm.net (OOS)
• CIDR: 10.0.0.0/8 (OOS)
• CIDR: 50.128.0.0/12 (OOS)
• CIDR: 50.152.0.0/13 (OOS)
• CIDR: 96.201.0.0/16 (OOS)
• CIDR: 96.202.128.0/17 (OOS)
• CIDR: 96.203.0.0/16 (OOS)
• CIDR: 172.26.128.0/18 (OOS)
• CIDR: 184.112.0.0/13 (OOS)
• CIDR: 184.122.0.0/15 (OOS)
• URL: admin.selectwifi.xfinity.com (OOS)

In Scope Assets:

• URL: staging-app.bany.dev
• URL: http://staging-api.ynab.com
• OTHER: www.ynab.com

Out of Scope Assets:

• URL: https://app.ynab.com/ (OOS)
• OTHER: Any previous version of the desktop apps: YNAB 4, YNAB 3, YNAB Pro, YNAB Basic (Spreadsheet) (OOS)
• URL: https://support.ynab.com (OOS)
• URL: https://develop-app.ynab.com (OOS)
• URL: https://learn.ynab.com/ (OOS)

In Scope Assets:

• URL: https://baby.zola.com/
• IOS: https://apps.apple.com/us/app/zola-baby-registry/id6446598574

Out of Scope Assets:

• URL: https://www.zola.com (OOS)
• URL: https://homestore.zola.com (OOS)
• IOS: Zola Wedding Planner iOS App (OOS)
• URL: https://vendor.zola.com (OOS)
• URL: https://baby.zola.com/order-status/lookup (OOS)

In Scope Assets:

• URL: http://--your-own-1password-account--.1password.com
• OTHER: <Your own 1Password account> —> Latest stable, beta, or nightly Command Line Interface (CLI)
• OTHER: <Your own 1Password account> —> Latest stable, beta, or nightly Browser Extension (Chrome, Brave, Firefox, Edge, and Safari)
• URL: https://events.1password.com/api/

Out of Scope Assets:

• WILDCARD: *.agilebits.com (OOS)
• URL: https://support.1password.com (OOS)
• URL: https://www.1password.com/ (OOS)
• OTHER: All other domains, subdomains, and 1Password Accounts that are not owned by you, including accounts where you are a user but not the owner, are out of scope. (OOS)

In Scope Assets:

• URL: https://bugbounty-ctf.1password.com/

Out of Scope Assets:

• WILDCARD: *.agilebits.com (OOS)
• URL: https://support.1password.com (OOS)
• URL: https://www.1password.com/ (OOS)
• OTHER: All other domains, subdomains, and 1Password Accounts that are not owned by you, including accounts where you are a user but not the owner, are out of scope. (OOS)

In Scope Assets:

• URL: api.23andme.com
• URL: auth.23andme.com
• URL: blog.23andme.com
• URL: education.23andme.com
• URL: mediacenter.23andme.com
• URL: medical.23andme.com
• URL: store.23andme.com
• URL: therapeutics.23andme.com
• URL: you.23andme.com
• URL: clinic.lemonaidhealth.com
• URL: sapi-live.lh.us-west-2.prd.23andme.us
• URL: pd-api.polkadoc.com
• URL: research.23andme.com
• URL: healthaid.lemonaidhealth.com
• URL: lemonaidhealth.com

In Scope Assets:

• OTHER: 3CX Phone System
• IOS: https://apps.apple.com/us/app/3cx/id992045982
• ANDROID: https://play.google.com/store/apps/details?id=com.tcx.sipphone14
• WINDOWS APP: https://apps.microsoft.com/detail/3cx/9NW77489NGJ0
• EXECUTABLE: 3CX SBC
• OTHER: 3CX Live chat WordPress plugin
• URL: https://portal.3cx.com

Out of Scope Assets:

• WILDCARD: *.3cx.com (OOS)

In Scope Assets:

• WILDCARD: *.8x8.vc
• WILDCARD: *.jit.si
• SOURCE_CODE: https://github.com/jitsi
• WILDCARD: *.jitsi.net
• URL: connect.8x8.com
• URL: platform.8x8pilot.com
• URL: uc.8x8pilot.com
• URL: sso.8x8pilot.com
• URL: work-staging.8x8.com
• URL: user-profile-staging.8x8.com
• WILDCARD: *.8x8staging.com
• URL: sso.8x8.com
• URL: platform.8x8.com
• WILDCARD: *.chalet.8x8.com
• URL: work.8x8.com
• URL: user-profile.8x8.com
• WILDCARD: vcc-*.8x8.com
• ANDROID: org.vom8x8.sipua
• URL: voapi.8x8.com
• URL: https://8x8.vc/xmpp-websocket
• WILDCARD: https://*.chalet.8x8.com/ws/v1
• URL: https://webrtc.8x8.com/
• EXECUTABLE: Virtual Office Desktop
• IOS: 8x8-work
• WILDCARD: *.packet8.net
• URL: cloud8.8x8.com
• WILDCARD: *.8x8cloud.net
• OTHER: Intellectual Property on Public Domains
• WILDCARD: *.p8t.us
• WILDCARD: *.wavecell.com
• URL: pay.8x8.com
• URL: admin.8x8.com
• URL: 8x8 Communication APIs
• URL: apps.8x8.com
• URL: video-agent.8x8.com
• URL: converse.8x8.com

Out of Scope Assets:

• ANDROID: com.spot8x8.spot (OOS)
• WILDCARD: http://*.callstats.io (OOS)
• ANDROID: org.jitsi.meet (OOS)
• URL: support.8x8.com (OOS)
• URL: www.8x8.com (OOS)
• URL: express.8x8.com (OOS)
• URL: accountmanager.8x8.com (OOS)
• URL: get8x8.com (OOS)
• URL: investors.8x8.com (OOS)
• WILDCARD: *.contactnow.8x8.com (OOS)
• WILDCARD: *.sameroom.io (OOS)
• IOS: com.atlassian.JitsiMeet.ios (OOS)
• IOS: 8x8-meeting-rooms (OOS)
• WILDCARD: *.jitsi.org (OOS)
• EXECUTABLE: Jitsi Meet Desktop (OOS)
• URL: feedback.wavecell.com (OOS)
• URL: vm.8x8.com (OOS)
• URL: 8x8.wavecell.com (OOS)
• URL: www.wavecell.com (OOS)
• URL: support-portal.8x8.com (OOS)
• URL: supersite.8x8.com (OOS)
• URL: mobileidentity.8x8.com (OOS)
• WILDCARD: *.bell.ca (OOS)

In Scope Assets:

• URL: beta-cloud.acronis.com
• WILDCARD: *-api-*.acronis.com
• OTHER: Other Acronis Domains
• EXECUTABLE: Acronis Agent
• IOS: 1118448159
• IOS: 978342143
• ANDROID: com.acronis.acronistrueimage
• ANDROID: com.acronis.abc
• EXECUTABLE: Acronis Cyber Protect
• WILDCARD: *.acronis.com
• URL: account.acronis.com
• IOS: 429704844
• IOS: 1192506963
• OTHER: Acronis Cyber Infrastructure
• WILDCARD: *.5nine.com
• WILDCARD: *.devicelock.com
• EXECUTABLE: Acronis DeviceLock DLP
• EXECUTABLE: Acronis Snap Deploy
• WILDCARD: *.acronis.work
• EXECUTABLE: Acronis Cyber Files
• EXECUTABLE: Other Acronis executables
• EXECUTABLE: Acronis Cloud Manager
• EXECUTABLE: Acronis True Image (formerly Acronis Cyber Protect Home Office)

Out of Scope Assets:

• URL: learn.acronis.com (OOS)

In Scope Assets:

• URL: account.adobe.com
• URL: auth.services.adobe.com
• URL: fonts.adobe.com
• ANDROID: com.adobe.reader
• IOS: com.iphone.workfront
• URL: marketplace.magento.com
• URL: repo.magento.com
• URL: magento.com
• URL: account.magento.com
• OTHER: Adobe Commerce, Commerce B2B and Commerce Open Source
• ANDROID: com.adobe.lrmobile
• ANDROID: com.adobe.scan.android
• IOS: com.adobe.lrmobile
• EXECUTABLE: ColdFusion
• URL: stock.adobe.com
• URL: contributor.stock.adobe.com
• IOS: com.adobe.PSMobile
• URL: firefly.adobe.com
• OTHER: C2PA Tool
• URL: https://contentcredentials.org/
• SOURCE_CODE: https://github.com/contentauth/c2pa-js
• SOURCE_CODE: https://github.com/contentauth/c2pa-rs
• URL: photoshop.adobe.com
• IOS: com.adobe.Adobe-Reader
• IOS: com.adobe.scan.ios
• URL: http://ims-na1.adobelogin.com
• URL: adobeid-na1.services.adobe.com
• URL: http://federatedid-na1.services.adobe.com
• OTHER: *.lightroom.adobe.com
• URL: new.express.adobe.com
• URL: net.s2stagehance.com
• URL: learningmanagerstage4.adobe.com
• URL: photos.adobe.io
• WILDCARD: *.acrobat.adobe.com
• IOS: adobe.fresco.ios
• ANDROID: com.adobe.workfront
• URL: portfolio.ccpsx.com

Out of Scope Assets:

• OTHER: Magento 1 Enterprise (Commerce) and Community (Open Source) Editions (OOS)

In Scope Assets:

• ANDROID: com.affirm.central.audit
• OTHER: com.affirm.internal.hackerone
• URL: sandbox.affirm.com

Out of Scope Assets:

• WILDCARD: *.affirm.com (OOS)

In Scope Assets:

• URL: www.airbnb.com
• URL: next.airbnb.com
• URL: api.airbnb.com
• URL: support-api.airbnb.com
• URL: assets.airbnb.com
• URL: m.airbnb.com
• URL: one.airbnb.com
• URL: open.airbnb.com
• URL: callbacks.airbnb.com
• URL: *.airbnb.com
• OTHER: Localized airbnb sites listed at the link below:
• URL: *.airbnbcitizen.com
• IOS: com.airbnb.app
• ANDROID: com.airbnb.android
• URL: *.atairbnb.com
• URL: *.withairbnb.com
• URL: *.byairbnb.com
• URL: *.muscache.com
• URL: *.airbnb-aws.com
• URL: *.luxuryretreats.com
• IOS: com.luxuryretreats.ios
• URL: *.hoteltonight-test.com
• URL: www.hoteltonight.com
• WILDCARD: *.hoteltonight.com
• WILDCARD: *.airbnb.org
• WILDCARD: *.musta.ch
• WILDCARD: *.airbnbpayments.com

Out of Scope Assets:

• URL: luckeyhomes.com (OOS)
• URL: luckey.fr (OOS)
• URL: luckey.app (OOS)
• URL: luckey.in (OOS)
• URL: demo.urbandoor.com (OOS)
• URL: provider.demo.urbandoor.com (OOS)
• URL: admin.demo.urbandoor.com (OOS)
• URL: luckey.partners (OOS)

In Scope Assets:

• URL: staging.airtable.com
• WILDCARD: *.staging-airtableblocks.com
• WILDCARD: *.staging.airtable.com
• URL: api-staging.airtable.com
• SOURCE_CODE: airtable.js SDK (https://www.npmjs.com/package/airtable)

Out of Scope Assets:

• IOS: com.FormaGrid.Hyperbase (OOS)
• ANDROID: com.formagrid.airtable (OOS)
• OTHER: Airtable macOS app (OOS)
• OTHER: Airtable Windows app (OOS)
• URL: blog.airtable.com (OOS)
• URL: support.airtable.com (OOS)
• URL: guide.airtable.com (OOS)
• URL: airtable.com (OOS)
• URL: dl.airtable.com (OOS)
• URL: dl.getforma.com (OOS)
• URL: community.airtable.com (OOS)

In Scope Assets:

• SOURCE_CODE: https://github.com/ProvableHQ/snarkOS
• SOURCE_CODE: https://github.com/ProvableHQ/snarkVM

In Scope Assets:

• URL: www.algolia.com
• WILDCARD: *.algolia.net
• WILDCARD: *.algolianet.com
• URL: dashboard.algolia.com

In Scope Assets:

• URL: sandbox.securegateway.com
• URL: sandbox-royal.securegateway.com

In Scope Assets:

• URL: www.amazon.*
• ANDROID: com.amazon.mShop.android.shopping
• IOS: 297606951
• OTHER: https://www.amazonpay.in/*
• URL: amazonpayinsurance.in
• WILDCARD: *.amazon.cl
• WILDCARD: *.amazon.co.za
• WILDCARD: *.amazon.com.au
• WILDCARD: *.amazon.com.br
• WILDCARD: *.amazon.com.co
• WILDCARD: *.amazon.com.mx
• WILDCARD: *.amazon.com.ng
• WILDCARD: *.amazon.com.tr
• WILDCARD: *.amazon.pl
• WILDCARD: *.amazon.com.be
• WILDCARD: *.amazon.ae
• WILDCARD: *.amazon.ca
• WILDCARD: *.amazon.cn
• WILDCARD: *.amazon.co.jp
• WILDCARD: *.amazon.co.uk
• WILDCARD: *.amazon.de
• WILDCARD: *.amazon.eg
• WILDCARD: *.amazon.es
• WILDCARD: *.amazon.fr
• WILDCARD: *.amazon.in
• WILDCARD: *.amazon.it
• WILDCARD: *.amazon.nl
• WILDCARD: *.amazon.sa
• WILDCARD: *.amazon.se
• WILDCARD: *.amazon.sg
• WILDCARD: *.amazon.com
• AI_MODEL: GenAI Apps under *.amazon.*
• WILDCARD: primevideo.com/*
• ANDROID: amazon.speech.sim
• IOS: 1552455423
• ANDROID: com.amazon.mShop.android.business.shopping
• IOS: 1498197033
• IOS: 1265170914
• ANDROID: com.amazon.mp3
• IOS: 510855668
• IOS: 6452192521
• IOS: 545519333
• IOS: 1475021574
• IOS: 1454725763
• IOS: 1276296103
• ANDROID: com.amazon.flex.rabbit
• ANDROID: com.imdbtv.livingroom
• ANDROID: com.amazon.amazonvideo.livingroom
• ANDROID: com.amazon.mp3.automotiveOS
• ANDROID: com.localqueen
• ANDROID: com.amazon.helix.prod
• IOS: 6471528064
• ANDROID: com.amazon.tahoe.grownups
• ANDROID: com.amazon.sft.rangoli.seller.app
• IOS: 1532153219
• ANDROID: com.amazon.imdb.tv.mobile.app
• ANDROID: com.amazon.minitv.android.app
• ANDROID: com.amazon.ziggy.android
• ANDROID: com.amazon.music.tv
• IOS: 1579372261
• ANDROID: in.amazon.mShop.android.business.shopping
• IOS: 1478350915
• ANDROID: in.amazon.mShop.android.shopping
• ANDROID: com.amazon.relay
• ANDROID: com.amazon.avod.thirdpartyclient
• IOS: 794141485
• ANDROID: com.amazon.sellerflexmobile
• ANDROID: com.amazon.shopperpanel.android.mobile.app
• IOS: 1494755014
• IOS: 342576766
• IOS: 358861688
• IOS: 348712880
• IOS: 374254473
• IOS: 335187483
• IOS: 1592204907
• IOS: 6444868926
• ANDROID: com.amazon.vendormobile.android
• IOS: 988788863
• ANDROID: com.amazon.technician.android
• ANDROID: com.amazon.primenow.seller.android
• IOS: 1057338687
• ANDROID: com.amazon.vendormobile.india.android
• IOS: 1659883691
• ANDROID: com.amazon.sellermobile.android
• ANDROID: com.amazon.astro
• ANDROID: com.amazon.warhol.android
• ANDROID: com.amazon.amazonone.androidapp
• ANDROID: com.amazon.kisan.app
• IOS: 1151746202
• IOS: 6479334468
• IOS: 6560104638
• ANDROID: com.amazon.aba.application
• ANDROID: com.amazon.enterprise.access.android
• ANDROID: com.amazon.firetv.recast.blaster.aosp
• ANDROID: com.amazon.ihm.candycane
• ANDROID: com.amazon.swa.mobileapp

Out of Scope Assets:

• OTHER: Amazon Web Services (AWS) (OOS)
• URL: amazongames.com (OOS)
• OTHER: "Contact Us" Functionality (OOS)
• OTHER: AWS and AWS customer assets are strictly out of scope (OOS)
• OTHER: *.*a2z*.* (OOS)
• OTHER: *.dev (OOS)
• OTHER: *.aws.* (OOS)
• OTHER: Anything considered a non-prod asset (OOS)
• OTHER: Anything which redirects to AWS (OOS)
• OTHER: learning.logistics.amazon.com (OOS)

In Scope Assets:

• URL: read.amazon.com
• URL: alexaanswers.amazon.com
• URL: blueprints.amazon.com
• URL: creator.amazon.com
• URL: amazon.com/hz/mycd/*
• URL: a4k.amazon.com
• URL: developer.amazon.com/apps-and-games/*
• URL: developer.amazon.com/alexa/*
• URL: alexa.amazon.com
• URL: skills-store.amazon.com
• HARDWARE: Tablets
• HARDWARE: Echo Family Devices
• HARDWARE: FireTV
• HARDWARE: Kindle E-Reader
• ANDROID: com.amazon.kindle
• ANDROID: com.amazon.storm.lightning.client.aosp
• ANDROID: com.amazon.tahoe.freetime
• IOS: 944011620
• IOS: 302584613
• IOS: 947984433
• IOS: 1324809509
• ANDROID: com.amazon.dee.app
• HARDWARE: Luna
• ANDROID: com.amazon.clouddrive.photos
• IOS: 621574163
• ANDROID: com.amazon.tails
• IOS: 1528364633
• URL: www.amazon.com/photos/*
• URL: api.amazonalexa.com/*
• URL: https://www.amazon.com/luna/*
• URL: https://luna.amazon.com/*
• ANDROID: com.amazon.dee.alexaonwearos

Out of Scope Assets:

• OTHER: Devices (OOS)
• OTHER: Services and Apps (OOS)
• OTHER: "Contact Us" Functionality (OOS)

In Scope Assets:

• URL: client-api.arkoselabs.com
• URL: cdn.arkoselabs.com
• URL: customer-sessions.arkoselabs.com
• URL: portal.arkoselabs.com
• URL: verify.arkoselabs.com
• URL: iframe.arkoselabs.com
• URL: www.arkoselabs.com
• URL: demo.arkoselabs.com

Out of Scope Assets:

• URL: https://status.arkoselabs.com/ (OOS)
• URL: developer.arkoselabs.com (OOS)

In Scope Assets:

• OTHER: Other Assets

Out of Scope Assets:

• URL: prod-taxexempt.att.com (OOS)
• URL: projectone.att.com (OOS)
• URL: c2m-projectone.att.com (OOS)
• URL: wf-projectone.att.com (OOS)
• URL: *.sky.com.mx (OOS)
• URL: accbusinesspricing.att.com (OOS)
• URL: rcloud.social (OOS)
• URL: attdashboard.wireless.att.com (OOS)
• URL: https://clec.att.com/clec/ (OOS)
• OTHER: 12.0.1.28 (OOS)
• URL: attsuppliers.com (OOS)
• URL: attpurchasing.com (OOS)
• URL: authkeysmx01.att.com.mx (OOS)
• IP_ADDRESS: 40.233.66.139 (OOS)
• URL: https://40.233.66.139 (OOS)
• URL: thedirectvmarketingzone.com (OOS)
• URL: att.suppliergateway.com (OOS)
• OTHER: DirecTV Owned Assets (OOS)
• WILDCARD: att.com/acctmgmt/*/stub*/* (OOS)
• WILDCARD: att.com/acctmgmt/*/chunks/* (OOS)

In Scope Assets:

• OTHER: *.audible.(TLD)
• ANDROID: com.audible.application
• IOS: 379693831
• URL: tax.audible.com

Out of Scope Assets:

• URL: newsletters.audible.com (OOS)
• URL: www.audiblecareers.com (OOS)
• URL: https://www.audible.com/ep/podcast-development-program (OOS)
• URL: https://www.audiblehub.com/submit (OOS)
• OTHER: All help centers across marketplaces (OOS)
• OTHER: All Audible blogs across marketplaces (OOS)
• OTHER: Affiliate Programs (OOS)
• WILDCARD: *.acx.com (OOS)
• URL: demdex.net (OOS)
• URL: omtrdc.net (OOS)
• URL: adobedtm.com (OOS)

In Scope Assets:

• URL: api.tumblr.com
• URL: safe.tumblr.com
• URL: secure.tumblr.com
• URL: assets.tumblr.com
• URL: embed.tumblr.com
• WILDCARD: *.tumblr.com
• URL: www.tumblr.com
• URL: t.umblr.com
• WILDCARD: *.srvcs.tumblr.com
• ANDROID: com.tumblr
• IOS: com.tumblr.tumblr
• URL: wordpress.com
• URL: intensedebate.com
• URL: simplenote.com
• URL: simperium.com
• SOURCE_CODE: Jetpack
• OTHER: WooCommerce
• OTHER: Crowdsignal
• OTHER: WordPress Plugins & Themes
• URL: akismet.com
• URL: mailpoet.com
• URL: my.pressable.com
• URL: gravatar.com
• OTHER: Texts
• OTHER: Beeper
• OTHER: WordPress VIP
• IOS: com.clay.ios
• URL: clay.earth

Out of Scope Assets:

• WILDCARD: scrollkit.com,*.scrollkit.com (OOS)
• WILDCARD: learnboost.com,*.learnboost.com (OOS)
• OTHER: */xmlrpc.php (OOS)
• WILDCARD: *.txmblr.com (OOS)
• WILDCARD: afterthedeadline.com,*.afterthedeadline.com (OOS)
• WILDCARD: polishmywriting.com,*.polishmywriting.com (OOS)
• WILDCARD: *.survey.fm (OOS)
• WILDCARD: *.poll.fm (OOS)
• URL: atavist.com (OOS)
• URL: happy.tools (OOS)
• URL: try.pressable.com (OOS)
• WILDCARD: *.crowdsignal.net (OOS)

In Scope Assets:

• URL: 3.basecamp.com
• URL: launchpad.37signals.com
• EXECUTABLE: basecamp3.exe
• EXECUTABLE: Basecamp.app
• IOS: com.basecamp.bc3-ios
• ANDROID: com.basecamp.bc3
• WILDCARD: *.hey.com
• IOS: com.hey.app.ios
• ANDROID: com.basecamp.hey
• EXECUTABLE: HEY.app
• WINDOWS APP: HEY.exe
• EXECUTABLE: hey-mail
• URL: world.hey.com

Out of Scope Assets:

• WILDCARD: *.basecamphq.com (OOS)
• URL: basecamp.com (OOS)
• WILDCARD: *.highrisehq.com (OOS)