Scope Updates
Recent changes to bug bounty program scopes.
| Change | Asset | Category | Scope | Program | Platform | Time |
|---|---|---|---|---|---|---|
| Added | all domains not listed in scopes, noteworthy: | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | alasco will not provide access credentials to any system, not for testing and also not for issue validation | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | however, any vulnerability discovered in a system or service that requires a login to access is outside the scope of this program | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | please note that all non-authenticated areas of our systems are in scope for this program. this means that any vulnerability discovered in a system or service that does not require a login to access is eligible for a reward | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | alasco.de | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | www.alasco.de | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | explore.alasco.de | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | explore.alasco.com | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | all other domains or subdomains not listed in the above list of 'scopes' | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | everything that is not directly related to the application or source-code in scope (e.g. github, domain settings) | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | "scopes" in this program refer to the binary packages and source-code provided there, the systems providing those artefacts are out of scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | all content which is not listed as "scopes", especially any production system operated by customers | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | the sncf connect mobile applications (android and apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff') | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | - https://www.malocationavis.sncf-connect.com | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | - https://www.maxjeune-tgvinoui.sncf | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | - https://www.sncf-voyageurs.com | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | - https://tgvinoui.sncf | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | - https://www.sncf.com | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | anything that is not listed as part of the scope, example : | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | please note sncf-connect.com doesn't own the sncf.com domains | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | please note that tchap is hosted by a third party and thus vulnerabilities related to the host are out of the scope | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 | |
| Added | everything that not listed as in scope is to be considered as out of scope of this program | OTHER | Out of Scope | YesWeHack | 2026-02-21 00:33 |