Scope Updates
Recent changes to bug bounty program scopes.
| Change | Asset | Category | Scope | Program | Platform | Time |
|---|---|---|---|---|---|---|
| Added | all domains or subdomains not listed in the above list of 'scopes' | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | anything that is not explicitely listed in scope section | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | https://www.cybermalveillance.gouv.fr | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | please note that some of the applications may contain links or redirect you away from the uris described in the scope section. this means you are leaving the scope if you follow these links / redirects | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any services related to incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58)) | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | the alternative login (https://login.swissid.ch) is out of scope. it also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes dns, ntp, routers, systems of the isp, etc.) | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | anything that has not been described as in scope in the previous section is automatically out of scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | third parties such as security researchers already involved in active security audits, or already opened reports | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any local implementation of the project/implementation belonging to third parties | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | libraries and protocols with known limitations and gems already in update maintenance (e.g., omniauth < 2 csrf protections, carrierwave) | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any depreciated versions and other versions than the current stable/official version are considered out of scope except if specified otherwise in the program’s rules | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | development configurations, plugins or images, such as the development or all-in-one docker containers, or running application in non-production modes and configurations | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any third parties’ or community’s assets that are not explicitly included (e.g. forks, libraries or packages) | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any asset that is not explicitly included in our program's scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | vulnerabilities in the dns protocol that are not specific to the bind 9 implementation (while we are interested in these, they are out of scope of this bug bounty program) | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any local implementation of the project/implementation belonging to third parties | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any depreciated versions and other versions than the current stable/official version are considered out of scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any third parties’ or community’s assets (e.g. packages or versions not created and published by isc) | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | any asset that is not explicitly included in our program's scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | lists.isc.org | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | gitlab.isc.org | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | *.retarus.com | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | *.gdata.com | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | *.usersnap.com | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 |